CVE-2026-27001
Prompt Injection via Unsanitized Workspace Path in OpenClaw
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27001 is a high-severity vulnerability in the OpenClaw AI assistant versions prior to 2026.2.15. The issue occurs because OpenClaw embeds the current working directory (workspace path) directly into the agent's system prompt without sanitizing it. If an attacker can run OpenClaw inside a directory whose name contains control or format characters such as newlines or Unicode bidirectional/zero-width markers, these characters can break the prompt structure."}, {'type': 'paragraph', 'content': 'This breakage allows the attacker to inject arbitrary instructions into the prompt, effectively performing a prompt injection attack. This can alter the behavior of the AI agent, potentially causing it to execute unintended commands or disclose sensitive information.'}, {'type': 'paragraph', 'content': 'The vulnerability is classified under CWE-77: Improper Neutralization of Special Elements used in a Command (Command Injection), where untrusted input is not properly sanitized before use.'}, {'type': 'paragraph', 'content': 'The issue was fixed in version 2026.2.15 by sanitizing the workspace path before embedding it into any large language model prompt output, stripping out Unicode control and format characters and explicit line/paragraph separators.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can impact you by allowing an attacker to inject malicious instructions into the AI assistant's system prompt through specially crafted directory names containing control or format characters."}, {'type': 'paragraph', 'content': 'Such prompt injection can cause the AI agent to behave unexpectedly, including executing unintended tools or commands, or leaking sensitive information that it otherwise would not disclose.'}, {'type': 'paragraph', 'content': "Because the attacker can influence the prompt structure, they may manipulate the AI's responses or actions, potentially compromising the integrity and confidentiality of your interactions with the assistant."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability arises when OpenClaw runs inside a directory whose name contains control or format characters such as newlines, Unicode bidirectional markers, or zero-width characters. Detection involves checking if the workspace directory path used by OpenClaw contains such characters.'}, {'type': 'paragraph', 'content': 'You can detect potentially vulnerable conditions by inspecting the current working directory path for control or format characters. For example, you can use commands to reveal hidden or special characters in directory names.'}, {'type': 'list_item', 'content': 'Use a command like `ls -b` or `ls -q` to display non-printable characters in directory names.'}, {'type': 'list_item', 'content': 'Use `echo` with `cat -v` to visualize control characters in the path, e.g., `echo "$PWD" | cat -v`.'}, {'type': 'list_item', 'content': 'Use tools like `od -c` or `hexdump -C` on the directory name string to identify control or Unicode format characters.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring OpenClaw logs for warnings about sanitization actions (which occur if control/format characters are stripped from workspace paths) can help detect attempts to exploit this vulnerability.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade OpenClaw to version 2026.2.15 or later, where the vulnerability is fixed by sanitizing workspace paths before embedding them into LLM prompts.
If upgrading immediately is not possible, avoid running OpenClaw in directories whose names contain control or format characters such as newlines, Unicode bidirectional markers, or zero-width characters.
Review and sanitize any workspace or sandbox directory paths manually to ensure they do not contain malicious characters that could break prompt structure.
Monitor OpenClaw logs for warnings about sanitization of workspace paths, which indicate attempts to use malicious directory names.
Follow best practices for securing the environment where OpenClaw runs, including restricting directory naming conventions and access controls to prevent attackers from creating malicious directories.