CVE-2026-41377

MEDIUM4.6EPSS 0.04%

OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open)

發布日:2026/4/2修改日:2026/5/6
也稱為:GHSA-cwq8-6f96-g3q4

描述

## Summary Security Scan Failure Does Not Block Plugin Installation (Fail-Open) ## Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Real in shipped v2026.3.28 plugin install flow, but low severity fits because it still requires an operator to choose installation of an untrusted package and the scan failure was visible rather than silent. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `7a953a52271b9188a5fa830739a4366614ff9916` — 2026-03-30T15:36:08+01:00 - `44b993613601280d46a5b88190e46669fc13d669` — 2026-03-31T23:16:11+09:00 - `0d7f1e2c84eca65df7dee890d9c30e2a841c030a` — 2026-03-31T23:27:20+09:00 - `bf96c67fd1954740aeabfadc7cfe3098bcfc6b68` — 2026-03-31T15:53:29+01:00 OpenClaw thanks @davidluzsilva for reporting.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
osvCVSS 3.1MEDIUM4.6CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

參考連結(11)