CVE-2026-43571 Overview
CVE-2026-43571 is a plugin trust bypass vulnerability affecting OpenClaw versions before 2026.4.10. The flaw resides in the channel setup discovery logic, where catalog lookups resolve workspace plugin shadows before bundled channel plugins. This ordering allows untrusted workspace-supplied plugins to shadow bundled plugins during setup-time loading. An attacker who can place a malicious plugin into an OpenClaw workspace can subvert the trust gate intended to restrict which plugins load during channel setup. The issue is tracked under [CWE-829: Inclusion of Functionality from Untrusted Control Sphere].
Critical Impact
A crafted workspace plugin can bypass OpenClaw's plugin trust model and execute under the trust context of bundled channel plugins, leading to high impact on confidentiality, integrity, and availability.
Affected Products
- OpenClaw (Node.js distribution) versions prior to 2026.4.10
- Component: openclaw:openclaw
- Affected modules: src/commands/channel-setup/discovery.ts and src/commands/channel-setup/plugin-install.ts
Discovery Timeline
- 2026-05-05 - CVE-2026-43571 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43571
Vulnerability Analysis
OpenClaw's channel setup workflow enumerates available channel plugins through a catalog lookup. Prior to the fix, the catalog resolution gave precedence to workspace-local plugin shadows over bundled, trusted channel plugins. A workspace plugin with a name matching a bundled plugin would be resolved first and loaded by the setup routine. Because setup-time loading runs before user trust prompts, the attacker-controlled plugin executes under the trust assumptions of a bundled plugin. The vulnerability is exploitable over the network with low attack complexity and requires low privileges, with no user interaction at the time of channel setup.
Root Cause
The root cause is incorrect resolution order in listChannelPluginCatalogEntries and getChannelPluginCatalogEntry from src/channels/plugins/catalog.ts. These functions did not exclude workspace shadows during the channel setup phase. As a result, untrusted workspace plugins were treated as valid candidates by trust-gated setup code paths.
Attack Vector
An attacker writes a malicious plugin to the OpenClaw agent workspace directory using a name that shadows a bundled channel plugin. When the victim runs the channel setup command, OpenClaw resolves the workspace shadow first and loads its code. The plugin then runs with the privileges granted to bundled, trusted plugins during setup.
// Patch: src/commands/channel-setup/discovery.ts
import { resolveAgentWorkspaceDir, resolveDefaultAgentId } from "../../agents/agent-scope.js";
-import {
- listChannelPluginCatalogEntries,
- type ChannelPluginCatalogEntry,
-} from "../../channels/plugins/catalog.js";
+import { type ChannelPluginCatalogEntry } from "../../channels/plugins/catalog.js";
import { isChannelVisibleInSetup } from "../../channels/plugins/exposure.js";
import type { ChannelMeta, ChannelPlugin } from "../../channels/plugins/types.js";
import { listChatChannels } from "../../channels/registry.js";
import type { OpenClawConfig } from "../../config/config.js";
import { applyPluginAutoEnable } from "../../config/plugin-auto-enable.js";
import { loadPluginManifestRegistry } from "../../plugins/manifest-registry.js";
import type { ChannelChoice } from "../onboard-types.js";
+import {
+ listSetupDiscoveryChannelPluginCatalogEntries,
+ listTrustedChannelPluginCatalogEntries,
+} from "./trusted-catalog.js";
Source: GitHub Commit 1fede43. The fix replaces the generic catalog functions with listSetupDiscoveryChannelPluginCatalogEntries and listTrustedChannelPluginCatalogEntries, which exclude workspace shadows during setup-time resolution.
Detection Methods for CVE-2026-43571
Indicators of Compromise
- Unexpected plugin files appearing under the OpenClaw agent workspace plugin directory, particularly with names matching bundled channel plugins.
- Modification timestamps on workspace plugin manifests that predate or coincide with channel setup invocations.
- Outbound network connections from node processes spawned by OpenClaw channel setup to non-vendor endpoints.
Detection Strategies
- Compare hashes of loaded channel plugins against the bundled plugin set shipped with the installed OpenClaw version.
- Audit package.json and plugin manifest files within agent workspace directories for entries that shadow bundled channel plugin identifiers.
- Inspect process execution telemetry for openclaw channel setup commands followed by spawning of unsigned or unexpected scripts.
Monitoring Recommendations
- Enable file integrity monitoring on agent workspace directories used by OpenClaw to detect plugin drop events.
- Forward OpenClaw CLI execution logs to a central data lake and alert on channel setup invocations from non-administrator accounts.
- Track installations of OpenClaw versions and flag any host running a release older than 2026.4.10.
How to Mitigate CVE-2026-43571
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.10 or later on every host where the CLI or agent is installed.
- Inventory existing agent workspaces and remove any plugin that was not authorized by the workspace owner.
- Restrict write access to agent workspace directories to trusted administrators only.
Patch Information
The fix is delivered in commit 1fede43b948df40ca8674511d4bd08d39f6c5837 and described in GitHub Security Advisory GHSA-82qx-6vj7-p8m2. Additional analysis is available in the VulnCheck Advisory on OpenClaw Plugin. The patch introduces dedicated trusted-catalog helpers that exclude workspace plugin shadows from setup-time discovery and install paths.
Workarounds
- Operate OpenClaw only with workspace directories whose contents are fully controlled by trusted users until the upgrade is applied.
- Avoid running channel setup workflows on shared or multi-tenant hosts where untrusted users can write to the agent workspace.
- Remove or rename any workspace-local channel plugin whose identifier matches a bundled plugin name.
# Upgrade OpenClaw to a patched release
npm install -g openclaw@2026.4.10
# Verify the installed version
openclaw --version
# Audit workspace plugins for shadows of bundled channel plugins
ls -la "$HOME/.openclaw/agents/default/plugins"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
