CVE-2026-27009
Received Received - Intake
Stored XSS in OpenClaw Control UI Allows Script Injection

Publication date: 2026-02-20

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `<script>` tag without script-context-safe escaping. A crafted value containing `</script>` could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Version 2026.2.15 removed inline script injection and serve bootstrap config from a JSON endpoint and added a restrictive Content Security Policy for the Control UI (`script-src 'self'`, no inline scripts).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27009
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.2.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27009 is a stored Cross-Site Scripting (XSS) vulnerability in the OpenClaw Control UI prior to version 2026.2.15. The issue occurs because the assistant identity attributes, such as assistantName and assistantAvatar, were injected directly into an inline <script> tag without proper script-context-safe escaping. Specifically, the use of JSON.stringify did not escape the sequence </script>, allowing an attacker who can set these assistant identity values to inject malicious JavaScript by breaking out of the script tag.

This vulnerability allows execution of attacker-controlled JavaScript in the Control UI origin, which could lead to actions like token or session theft and execution of privileged UI actions. The vulnerability requires local access with high privileges and user interaction.

The fix involved removing inline script injection by serving the bootstrap configuration from a JSON endpoint and adding a restrictive Content Security Policy (CSP) that disallows inline scripts, mitigating the risk of script injection.

Impact Analysis

This vulnerability can impact you by allowing an attacker with the ability to set the assistant identity (such as an operator or administrator) to execute arbitrary JavaScript within the OpenClaw Control UI. This can lead to serious consequences including:

  • Theft of tokens or session information.
  • Execution of privileged actions within the Control UI.

Since the Control UI is intended for local use only, the attack vector is local and requires high privileges and user interaction. However, the confidentiality and integrity impacts are high, meaning sensitive information could be compromised and unauthorized changes could be made.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking if the OpenClaw Control UI is running a version prior to 2026.2.15 and if it renders assistant identity attributes (assistantName, assistantAvatar) inside inline <script> tags without proper escaping.'}, {'type': 'paragraph', 'content': 'One practical approach is to inspect the Control UI HTML response for inline scripts containing assistant identity data. You can use network inspection tools or command-line utilities to fetch and analyze the UI page.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Use curl or wget to fetch the Control UI page and search for inline script tags containing assistant identity data:'}, {'type': 'list_item', 'content': "curl -s http://<control-ui-host>/ | grep -i '<script>'"}, {'type': 'list_item', 'content': 'Check if the assistantName or assistantAvatar values appear inside inline scripts without escaping sequences like </script>.'}, {'type': 'list_item', 'content': 'Use browser developer tools to inspect the Control UI page source and look for inline scripts embedding assistant identity.'}, {'type': 'list_item', 'content': 'Verify the version of OpenClaw installed by checking the application version or package metadata to confirm if it is older than 2026.2.15.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to stored XSS via assistant identity injection, monitoring for unusual or suspicious assistantName or assistantAvatar values containing script tags or escape sequences like </script> can also help detect exploitation attempts.'}] [3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, upgrade the OpenClaw application to version 2026.2.15 or later, which includes the fix.'}, {'type': 'paragraph', 'content': 'The fix removes inline script injection by serving the Control UI bootstrap configuration from a JSON endpoint instead of embedding it inline, and enforces a strict Content Security Policy (CSP) that disallows inline scripts.'}, {'type': 'list_item', 'content': 'Upgrade OpenClaw to version 2026.2.15 or newer.'}, {'type': 'list_item', 'content': "Ensure the Control UI is served with the updated CSP headers that include directives such as `script-src 'self'`, `frame-ancestors 'none'`, and others that prevent script injection and clickjacking."}, {'type': 'list_item', 'content': 'Remove or disable any custom assistant identity values that may contain malicious payloads until the upgrade is applied.'}, {'type': 'list_item', 'content': 'If upgrading immediately is not possible, restrict access to the Control UI to trusted users only, as the attack requires high privileges and local access.'}, {'type': 'paragraph', 'content': 'These steps collectively reduce the risk of exploitation by eliminating the injection vector and enforcing strict browser security policies.'}] [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27009. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart