CVE-2026-53810: openclaw Marketplace Runtime Extension Metadata Code Injection
A crafted marketplace plugin package can point OpenClaw's runtime extension loader at hidden, unscanned code files, letting an installed plugin run arbitrary logic that was never reviewed during insta
The problem
OpenClaw before 2026.5.18 trusts the runtime extension metadata bundled inside a marketplace package to locate the code it loads at runtime. That metadata is not independently verified against the entry points that were scanned during install review.
If a trusted operator installs a package whose metadata has been tampered with, or if a malicious publisher crafts that metadata deliberately, the runtime loads plugin code outside the reviewed entry points. Depending on operator configuration, lower-trust input paths may be able to trigger that load, achieving arbitrary code execution under the gateway process.
The fix
Upgrade to openclaw 2026.5.18 or later (`npm install -g openclaw@latest`). Until patched: install only plugins from explicitly trusted sources, keep plugin allowlists narrow, disable the marketplace runtime extension feature if it is not needed, and avoid sharing one Gateway instance between mutually untrusted users.
Related research
- high · 7.1CVE-2026-53831: openclaw system.run Safe-Bin Allowlist Bypass via Shell Expansion
- highCVE-2026-53832: openclaw Trusted-Proxy Identity Header Forgery via Same-Host Loopback
- high · 8CVE-2026-53817CVE-2026-53817: openclaw Control UI Locality Spoofing to Admin Token Mint
- high · 8.4CVE-2026-53814CVE-2026-53814: openclaw Hook-Triggered CLI Privilege Escalation to Owner MCP Scope