CVE-2026-26320
Command Injection via Incomplete URL Scheme Confirmation in OpenClaw
Publication date: 2026-02-19
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | From 2026.2.6 (inc) to 2026.2.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-451 | The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the OpenClaw macOS desktop client, which registers the openclaw:// URL scheme. When a user encounters an openclaw://agent deep link without an unattended key, the app shows a confirmation dialog displaying only the first 240 characters of the message. However, after the user clicks "Run," the full message is executed.
An attacker can exploit this by padding the message with whitespace to push a malicious payload beyond the visible preview, causing the user to approve a different message than the one actually executed. This can lead to arbitrary command execution depending on the user's configured tool approvals or allowlists.
This is a social-engineering mediated vulnerability because the confirmation prompt misrepresents the executed message. The issue is fixed in version 2026.2.14.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to arbitrary command execution on your macOS system through the OpenClaw agent. An attacker could trick you into approving a malicious command by hiding it beyond the visible preview in the confirmation dialog.
This could result in unauthorized actions being performed on your system, potentially compromising your data, privacy, or system integrity depending on what commands are executed and your tool approval settings.
Mitigations include not approving unexpected "Run OpenClaw agent?" prompts from untrusted sites and using unattended deep links only with a valid key for trusted automations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the OpenClaw macOS desktop client to version 2026.2.14 or later, where the issue is fixed.
Additionally, do not approve unexpected "Run OpenClaw agent?" prompts triggered while browsing untrusted sites.
Use unattended deep links only with a valid `key` for trusted personal automations.