GHSA-3vvq-q2qc-7rmp: OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification
mediumvulnerability
security
Source: GitHub Advisory DatabaseApril 9, 2026
Summary
OpenClaw, a user-controlled local assistant, had a vulnerability where ClawHub package downloads didn't verify the integrity of downloaded files (a security check ensuring files haven't been tampered with). This meant malicious or corrupted plugin archives could be installed without detection. The vulnerability affected OpenClaw versions 2026.4.1 and earlier.
Solution / Mitigation
Update to OpenClaw npm package version 2026.4.8 or later. The fix is also available in the main branch at commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrity
AI Component TargetedPlugin
Affected Vendors
Affected Packages
openclaw@< 2026.4.8 (fixed: 2026.4.8)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-3vvq-q2qc-7rmp
First tracked: April 9, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 85%