CVE-2026-41377
OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open)
Description
## Summary Security Scan Failure Does Not Block Plugin Installation (Fail-Open) ## Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Real in shipped v2026.3.28 plugin install flow, but low severity fits because it still requires an operator to choose installation of an untrusted package and the scan failure was visible rather than silent. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `7a953a52271b9188a5fa830739a4366614ff9916` — 2026-03-30T15:36:08+01:00 - `44b993613601280d46a5b88190e46669fc13d669` — 2026-03-31T23:16:11+09:00 - `0d7f1e2c84eca65df7dee890d9c30e2a841c030a` — 2026-03-31T23:27:20+09:00 - `bf96c67fd1954740aeabfadc7cfe3098bcfc6b68` — 2026-03-31T15:53:29+01:00 OpenClaw thanks @davidluzsilva for reporting.
How to fix CVE-2026-41377
To remediate CVE-2026-41377, upgrade the affected package to a fixed version below.
- —upgrade to 2026.3.31 or later
Is CVE-2026-41377 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2026.3.31
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |