What is CVE-2026-41360?

CVE-2026-41360 is a medium-severity vulnerability in Openclaw, classified under Time-of-check Time-of-use (TOCTOU) Race Condition. CVSS score: 6.7/10. Published 2026-04-23.

How severe is CVE-2026-41360?

Medium severity. CVSS v3 base score is 6.7 out of 10.

Vulnerability in Openclaw

CVE-2026-41360

OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scripts before execution without invalidatin…

Vulnerability class: TOCTOU (Time-of-Check to Time-of-Use)

EPSS: 0.000 (2.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.7 (Medium). Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H.

Affected products

Openclaw — versions 0, 2026.4.2

Weakness classification (CWE)

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition

References

GitHub Security Advisory (GHSA-w6wx-jq6j-6mcj) (vendor-advisory, Vendor Advisory)
Patch Commit (Patch, patch)
VulnCheck Advisory: OpenClaw < 2026.4.2 - Approval Integrity Bypass in pnpm dlx Local Script Binding (Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2026-41360?: CVE-2026-41360 is a medium-severity vulnerability in Openclaw, classified under Time-of-check Time-of-use (TOCTOU) Race Condition. CVSS score: 6.7/10. Published 2026-04-23.
How severe is CVE-2026-41360?: Medium severity. CVSS v3 base score is 6.7 out of 10.