{"data":{"id":"5576d580-2114-4f79-8f6e-626540b7a4c1","title":"GHSA-3vvq-q2qc-7rmp: OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification","summary":"OpenClaw, a user-controlled local assistant, had a vulnerability where ClawHub package downloads didn't verify the integrity of downloaded files (a security check ensuring files haven't been tampered with). This meant malicious or corrupted plugin archives could be installed without detection. The vulnerability affected OpenClaw versions 2026.4.1 and earlier.","solution":"Update to OpenClaw npm package version 2026.4.8 or later. The fix is also available in the main branch at commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-3vvq-q2qc-7rmp","publishedAt":"2026-04-09T17:37:13.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["openclaw@< 2026.4.8 (fixed: 2026.4.8)"],"affectedVendors":[],"affectedVendorsRaw":["OpenClaw"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-09T17:37:13.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity"],"aiComponentTargeted":"plugin","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}