CVE-2026-41360
Title: Approval Integrity Vulnerability in OpenClaw pnpm dlx
Arbitrary File Access
Proof Of Concept
No public PoC currently indexed for CVE-2026-41360.
CWE Category
CWE-367
Published Date
Apr 23, 2026
Modified Date
May 01, 2026
Exploit Status
Not Found
Score
5.4
CVSS v4.0
Exploit Probability (EPSS)
0.09%
Vulnerability Summary
CVE-2026-41360: OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scripts before execution without invalidating the approval plan, allowing execution of modified script contents.
Impacted Vendors
Reference Links
CVSS v4.0
Source Entity
[email protected]
Severity
MEDIUM
5.4
Attack Vector
LOCAL
Complexity
HIGH
Privileges
N/A
Interaction
PASSIVE
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
N/A
RAW VECTOR
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1
Source Entity
[email protected]
Severity
MEDIUM
6.7
Attack Vector
LOCAL
Complexity
HIGH
Privileges
N/A
Interaction
REQUIRED
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
UNCHANGED
RAW VECTOR
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Associated Attack Patterns (CAPEC)
Total: PatternsNo specific attack patterns mapped.
Likelihood
Severity
Page /
CVE-2026-41360 Exploits & PoCs (Proof Of Concept)
No public PoCs found in our database for this CVE.
MODIFIED
Vulnerability data updated via NVD.
MODIFIED
Vulnerability data updated via NVD.
MODIFIED
Vulnerability data updated via NVD.
Attack Vector Matrix
Access Vector
LOCAL
Complexity
HIGH
Privileges
N/A
Interaction
PASSIVE
CVSS Vector String
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Affected Stack
No specific products linked.