Platform
nodejs
Component
openclaw
Fixed in
2026.3.12
2026.3.12
CVE-2026-32920 describes a Remote Code Execution (RCE) vulnerability in OpenClaw, a Node.js extension loader. This flaw allows malicious workspace plugins to execute arbitrary code when OpenClaw is run from an untrusted repository, potentially granting attackers control over the system. The vulnerability affects versions of OpenClaw up to and including 2026.3.11, and a fix is available in version 2026.3.12.
The primary impact of CVE-2026-32920 is the potential for arbitrary code execution. An attacker could craft a malicious workspace plugin within a cloned repository. When a user runs OpenClaw from that repository, the plugin would automatically load and execute, giving the attacker control under the user's privileges. This could lead to data theft, system compromise, or further malicious activity. The blast radius is limited to the user account running OpenClaw, but the consequences of that compromise can be severe, particularly if the user has administrative privileges or access to sensitive data.
CVE-2026-32920 was publicly disclosed on March 13, 2026. As of this writing, there are no publicly available proof-of-concept exploits. The EPSS score is likely to be medium, given the relatively straightforward nature of the exploit (crafting a malicious plugin) and the potential for widespread impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
The primary mitigation for CVE-2026-32920 is to upgrade OpenClaw to version 2026.3.12 or later. This version introduces explicit trust mechanisms for workspace plugin loading, preventing the automatic execution of untrusted code. If upgrading is not immediately feasible, avoid running OpenClaw from untrusted repositories. Consider implementing a code review process for any workspace plugins before running OpenClaw in those environments. There are no WAF or proxy rules that can directly mitigate this vulnerability, as it occurs during plugin loading within the application itself.
Update OpenClaw to version 2026.3.12 or later. This version fixes the vulnerability that allows arbitrary code execution through the automatic loading of unverified plugins.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32920 is a Remote Code Execution vulnerability in OpenClaw versions up to 2026.3.11, allowing malicious plugins to execute when OpenClaw runs from an untrusted repository.
Yes, if you are using OpenClaw version 2026.3.11 or earlier, you are vulnerable. Check your OpenClaw version and upgrade immediately.
Upgrade OpenClaw to version 2026.3.12 or later. This resolves the vulnerability by requiring explicit trust for workspace plugins.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is considered high severity and should be addressed promptly.
Refer to the OpenClaw project's official website or GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.