PT-2026-32208 · Npm · Openclaw
Published
2026-04-02
·
Updated
2026-04-02
CVSS v3.1
4.6
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
Summary
Security Scan Failure Does Not Block Plugin Installation (Fail-Open)
Current Maintainer Triage
- Status: open
- Normalized severity: low
- Assessment: Real in shipped v2026.3.28 plugin install flow, but low severity fits because it still requires an operator to choose installation of an untrusted package and the scan failure was visible rather than silent.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
7a953a52271b9188a5fa830739a4366614ff9916— 2026-03-30T15:36:08+01:0044b993613601280d46a5b88190e46669fc13d669— 2026-03-31T23:16:11+09:000d7f1e2c84eca65df7dee890d9c30e2a841c030a— 2026-03-31T23:27:20+09:00bf96c67fd1954740aeabfadc7cfe3098bcfc6b68— 2026-03-31T15:53:29+01:00
OpenClaw thanks @davidluzsilva for reporting.
Fix
Improper Check for Exceptional Conditions
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw