CVE-2026-43569 HIGH

CVE-2026-43569: OpenClaw < 2026.4.9 - Untrusted Provider Plugin Auto-enablement via Workspace Provider Auth

Vendor Openclaw
Product OpenClaw
Weakness CWE-829 · Inclusion from untrusted sphere
Published May 5, 2026
Last update May 6, 2026

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are automatically selected and enabled during authentication setup without explicit user consent.

Key dates

02Disclosure timeline

May 5, 2026 CVE published
May 6, 2026 Record updated