High severity7.1NVD Advisory· Published Apr 28, 2026· Updated Apr 30, 2026
CVE-2026-42428
CVE-2026-42428
Description
OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.4.8 | 2026.4.8 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5nvdPatchWEB
- github.com/advisories/GHSA-3vvq-q2qc-7rmpghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-3vvq-q2qc-7rmpnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-42428ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-missing-integrity-verification-in-package-downloadsnvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.