CVE-2026-27009 (GCVE-0-2026-27009)
Vulnerability from cvelistv5 – Published: 2026-02-19 23:25 – Updated: 2026-02-20 15:36
VLAI
EPSS
VEX
Title
OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection
Summary
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `<script>` tag without script-context-safe escaping. A crafted value containing `</script>` could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Version 2026.2.15 removed inline script injection and serve bootstrap config from a JSON endpoint and added a restrictive Content Security Policy for the Control UI (`script-src 'self'`, no inline scripts).
Severity
5.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/openclaw/openclaw/security/adv… | x_refsource_CONFIRM |
| https://github.com/openclaw/openclaw/commit/3b409… | x_refsource_MISC |
| https://github.com/openclaw/openclaw/commit/adc81… | x_refsource_MISC |
| https://github.com/openclaw/openclaw/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27009",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T15:29:24.166626Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T15:36:57.938Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openclaw",
"vendor": "openclaw",
"versions": [
{
"status": "affected",
"version": "\u003c 2026.2.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `\u003cscript\u003e` tag without script-context-safe escaping. A crafted value containing `\u003c/script\u003e` could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Version 2026.2.15 removed inline script injection and serve bootstrap config from a JSON endpoint and added a restrictive Content Security Policy for the Control UI (`script-src \u0027self\u0027`, no inline scripts)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T23:25:41.111Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openclaw/openclaw/security/advisories/GHSA-37gc-85xm-2ww6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-37gc-85xm-2ww6"
},
{
"name": "https://github.com/openclaw/openclaw/commit/3b4096e02e7e335f99f5986ec1bd566e90b14a7e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openclaw/openclaw/commit/3b4096e02e7e335f99f5986ec1bd566e90b14a7e"
},
{
"name": "https://github.com/openclaw/openclaw/commit/adc818db4a4b3b8d663e7674ef20436947514e1b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openclaw/openclaw/commit/adc818db4a4b3b8d663e7674ef20436947514e1b"
},
{
"name": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15"
}
],
"source": {
"advisory": "GHSA-37gc-85xm-2ww6",
"discovery": "UNKNOWN"
},
"title": "OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27009",
"datePublished": "2026-02-19T23:25:41.111Z",
"dateReserved": "2026-02-17T03:08:23.489Z",
"dateUpdated": "2026-02-20T15:36:57.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-27009",
"date": "2026-07-10",
"epss": "0.00228",
"percentile": "0.13582"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-27009\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-20T00:16:17.620\",\"lastModified\":\"2026-06-17T10:26:31.890\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `\u003cscript\u003e` tag without script-context-safe escaping. A crafted value containing `\u003c/script\u003e` could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Version 2026.2.15 removed inline script injection and serve bootstrap config from a JSON endpoint and added a restrictive Content Security Policy for the Control UI (`script-src \u0027self\u0027`, no inline scripts).\"},{\"lang\":\"es\",\"value\":\"OpenClaw es un asistente personal de IA. Antes de la versi\u00f3n 2026.2.15, exist\u00eda un problema de XSS almacenado en la interfaz de usuario de control de OpenClaw al renderizar la identidad del asistente (nombre/avatar) en una etiqueta `` podr\u00eda escapar de la etiqueta de script y ejecutar JavaScript controlado por el atacante en el origen de la interfaz de usuario de control. La versi\u00f3n 2026.2.15 elimin\u00f3 la inyecci\u00f3n de scripts en l\u00ednea y sirve la configuraci\u00f3n de arranque desde un endpoint JSON, y a\u00f1adi\u00f3 una Pol\u00edtica de Seguridad de Contenido restrictiva para la interfaz de usuario de control (`script-src \u0027self\u0027`, sin scripts en l\u00ednea).\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"openclaw\",\"product\":\"openclaw\",\"versions\":[{\"version\":\"\u003c 2026.2.15\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":5.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.6,\"impactScore\":5.2}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-02-20T15:29:24.166626Z\",\"id\":\"CVE-2026-27009\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"2026.2.15\",\"matchCriteriaId\":\"3CD9AC99-DDDF-4177-9253-04A63CA027DC\"}]}]}],\"references\":[{\"url\":\"https://github.com/openclaw/openclaw/commit/3b4096e02e7e335f99f5986ec1bd566e90b14a7e\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/openclaw/openclaw/commit/adc818db4a4b3b8d663e7674ef20436947514e1b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/openclaw/openclaw/releases/tag/v2026.2.15\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/openclaw/openclaw/security/advisories/GHSA-37gc-85xm-2ww6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]}]}}",
"redhat_vex": {
"current_release_date": "2026-02-21T01:30:36+00:00",
"cve": "CVE-2026-27009",
"id": "CVE-2026-27009",
"initial_release_date": "2026-01-01T00:00:00+00:00",
"product_status:known_not_affected": "1",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27009.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27009\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-20T15:29:24.166626Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-20T15:29:25.780Z\"}}], \"cna\": {\"title\": \"OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection\", \"source\": {\"advisory\": \"GHSA-37gc-85xm-2ww6\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"openclaw\", \"product\": \"openclaw\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2026.2.15\"}]}], \"references\": [{\"url\": \"https://github.com/openclaw/openclaw/security/advisories/GHSA-37gc-85xm-2ww6\", \"name\": \"https://github.com/openclaw/openclaw/security/advisories/GHSA-37gc-85xm-2ww6\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/openclaw/openclaw/commit/3b4096e02e7e335f99f5986ec1bd566e90b14a7e\", \"name\": \"https://github.com/openclaw/openclaw/commit/3b4096e02e7e335f99f5986ec1bd566e90b14a7e\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/openclaw/openclaw/commit/adc818db4a4b3b8d663e7674ef20436947514e1b\", \"name\": \"https://github.com/openclaw/openclaw/commit/adc818db4a4b3b8d663e7674ef20436947514e1b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/openclaw/openclaw/releases/tag/v2026.2.15\", \"name\": \"https://github.com/openclaw/openclaw/releases/tag/v2026.2.15\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `\u003cscript\u003e` tag without script-context-safe escaping. A crafted value containing `\u003c/script\u003e` could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Version 2026.2.15 removed inline script injection and serve bootstrap config from a JSON endpoint and added a restrictive Content Security Policy for the Control UI (`script-src \u0027self\u0027`, no inline scripts).\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-19T23:25:41.111Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-27009\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-20T15:36:57.938Z\", \"dateReserved\": \"2026-02-17T03:08:23.489Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-19T23:25:41.111Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…