SecuriTricks - CVE-2026-42428

Description

OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment.

Product(s) Impacted

Vendor	Product	Versions
Openclaw	Openclaw	<2026.4.8

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-353

Missing Support for Integrity Check

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	openclaw	openclaw	<2026.4.8	/	/	/	/	/	/	/

References

https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5

https://github.com/openclaw/openclaw/security/advisories/GHSA-3vvq-q2qc-7rmp

https://www.vulncheck.com/advisories/openclaw-missing-integrity-verification-in-package-downloads

CVSS Score

7.5 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: HIGH
Attack Requirements: NONE
Privileges Required: LOW
User Interaction: PASSIVE
Scope:
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH
Exploit Maturity: NOT_DEFINED

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: April 28, 2026, 7:37 p.m.
Last Modified: April 28, 2026, 8:10 p.m.

Status : Undergoing Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

[email protected]

CVE-2026-42428