CVE-2026-35641

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.24

Description OpenClaw versions before 2026.3.24 contain an arbitrary code execution vulnerability during local plugin and hook installation. Attackers can exploit this by crafting a malicious .npmrc file with a git executable override. During npm install execution in the staged package directory, attackers can leverage git dependencies to trigger the execution of arbitrary programs specified in the attacker-controlled .npmrc configuration file. The vulnerability lies in the fact that the installation process does not strip the project root .npmrc, allowing an attacker to override npm’s git executable path. This can lead to arbitrary local code execution during the installation phase. The affected paths include the plugin and hook CLI entry points, as well as the plugin and hook local directory/archive installation routines. The vulnerability is triggered when a user installs a local plugin or hook using commands like openclaw plugins install <path-or-spec> or openclaw hooks install <path-or-spec>, where <path-or-spec> points to a malicious package containing the crafted .npmrc file and a git dependency. The issue is considered a security concern because it allows code execution during the installation process, before the plugin or hook is considered trusted. The vulnerability affects both plugin and hook installations.

Recommendations Update to OpenClaw version 2026.3.24 or later.