Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.5
OpenClaw: Running OpenClaw in untrusted repositories can execute malicious code
GHSA-99qw-6mr3-36qr
Summary
OpenClaw, a plugin for workspaces, could load plugins from untrusted repositories without permission. This allowed malicious code to run on your system if you opened OpenClaw in a cloned directory from an unknown source. To fix this, update to version 2026.3.12 or later, and be cautious when using older versions with untrusted repositories.
What to do
- Update openclaw to version 2026.3.12.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.11 | 2026.3.12 |
Original title
OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories
Original description
### Summary
OpenClaw automatically discovered and loaded plugins from `.openclaw/extensions/` inside the current workspace without an explicit trust or install step. A malicious repository could include a crafted workspace plugin that executed as soon as a user ran OpenClaw from that cloned directory.
### Impact
Opening or running OpenClaw in an untrusted repository could lead to arbitrary code execution under the user's account.
### Affected versions
`openclaw` `<= 2026.3.11`
### Patch
Fixed in `openclaw` `2026.3.12`. Workspace plugin loading now requires explicit trusted state before execution. Users should update to `2026.3.12` or later and avoid running OpenClaw inside untrusted repositories on older releases.
OpenClaw automatically discovered and loaded plugins from `.openclaw/extensions/` inside the current workspace without an explicit trust or install step. A malicious repository could include a crafted workspace plugin that executed as soon as a user ran OpenClaw from that cloned directory.
### Impact
Opening or running OpenClaw in an untrusted repository could lead to arbitrary code execution under the user's account.
### Affected versions
`openclaw` `<= 2026.3.11`
### Patch
Fixed in `openclaw` `2026.3.12`. Workspace plugin loading now requires explicit trusted state before execution. Users should update to `2026.3.12` or later and avoid running OpenClaw inside untrusted repositories on older releases.
ghsa CVSS4.0
8.5
Vulnerability type
CWE-829
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026