#VU125256 Not Failing Securely ('Failing Open') in OpenClaw
Published: April 8, 2026
Vulnerability identifier: #VU125256
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-636
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenClaw
OpenClaw
Software vendor:
OpenClaw
OpenClaw
Description
The vulnerability allows a remote user to install an untrusted plugin despite a failed security scan.
The vulnerability exists due to not failing securely in the plugin installation flow when handling a security scan failure during plugin installation. A remote user can choose installation of an untrusted package after the scan failure is shown to install an untrusted plugin despite a failed security scan.
The scan failure was visible rather than silent, and exploitation requires an operator to choose installation of an untrusted package.
Remediation
Install security update from vendor's website.