CVE-2026-27009
Stored XSS in OpenClaw Control UI Allows Script Injection
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27009 is a stored Cross-Site Scripting (XSS) vulnerability in the OpenClaw Control UI prior to version 2026.2.15. The issue occurs because the assistant identity attributes, such as assistantName and assistantAvatar, were injected directly into an inline <script> tag without proper script-context-safe escaping. Specifically, the use of JSON.stringify did not escape the sequence </script>, allowing an attacker who can set these assistant identity values to inject malicious JavaScript by breaking out of the script tag.
This vulnerability allows execution of attacker-controlled JavaScript in the Control UI origin, which could lead to actions like token or session theft and execution of privileged UI actions. The vulnerability requires local access with high privileges and user interaction.
The fix involved removing inline script injection by serving the bootstrap configuration from a JSON endpoint and adding a restrictive Content Security Policy (CSP) that disallows inline scripts, mitigating the risk of script injection.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with the ability to set the assistant identity (such as an operator or administrator) to execute arbitrary JavaScript within the OpenClaw Control UI. This can lead to serious consequences including:
- Theft of tokens or session information.
- Execution of privileged actions within the Control UI.
Since the Control UI is intended for local use only, the attack vector is local and requires high privileges and user interaction. However, the confidentiality and integrity impacts are high, meaning sensitive information could be compromised and unauthorized changes could be made.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking if the OpenClaw Control UI is running a version prior to 2026.2.15 and if it renders assistant identity attributes (assistantName, assistantAvatar) inside inline <script> tags without proper escaping.'}, {'type': 'paragraph', 'content': 'One practical approach is to inspect the Control UI HTML response for inline scripts containing assistant identity data. You can use network inspection tools or command-line utilities to fetch and analyze the UI page.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Use curl or wget to fetch the Control UI page and search for inline script tags containing assistant identity data:'}, {'type': 'list_item', 'content': "curl -s http://<control-ui-host>/ | grep -i '<script>'"}, {'type': 'list_item', 'content': 'Check if the assistantName or assistantAvatar values appear inside inline scripts without escaping sequences like </script>.'}, {'type': 'list_item', 'content': 'Use browser developer tools to inspect the Control UI page source and look for inline scripts embedding assistant identity.'}, {'type': 'list_item', 'content': 'Verify the version of OpenClaw installed by checking the application version or package metadata to confirm if it is older than 2026.2.15.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to stored XSS via assistant identity injection, monitoring for unusual or suspicious assistantName or assistantAvatar values containing script tags or escape sequences like </script> can also help detect exploitation attempts.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, upgrade the OpenClaw application to version 2026.2.15 or later, which includes the fix.'}, {'type': 'paragraph', 'content': 'The fix removes inline script injection by serving the Control UI bootstrap configuration from a JSON endpoint instead of embedding it inline, and enforces a strict Content Security Policy (CSP) that disallows inline scripts.'}, {'type': 'list_item', 'content': 'Upgrade OpenClaw to version 2026.2.15 or newer.'}, {'type': 'list_item', 'content': "Ensure the Control UI is served with the updated CSP headers that include directives such as `script-src 'self'`, `frame-ancestors 'none'`, and others that prevent script injection and clickjacking."}, {'type': 'list_item', 'content': 'Remove or disable any custom assistant identity values that may contain malicious payloads until the upgrade is applied.'}, {'type': 'list_item', 'content': 'If upgrading immediately is not possible, restrict access to the Control UI to trusted users only, as the attack requires high privileges and local access.'}, {'type': 'paragraph', 'content': 'These steps collectively reduce the risk of exploitation by eliminating the injection vector and enforcing strict browser security policies.'}] [2, 3]