GHSA-2QJ5-GWG2-XWC4

Vulnerability from github – Published: 2026-02-18 22:42 – Updated: 2026-02-20 16:46
VLAI?
Summary
OpenClaw: Unsanitized CWD path injection into LLM prompts
Details

Overview

OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters (for example newlines or Unicode bidi/zero-width markers), those characters could break the prompt structure and inject attacker-controlled instructions.

Impact

Prompt injection may alter agent behavior and could lead to unintended tool use or disclosure of sensitive information.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Vulnerable versions: < 2026.2.15 (latest published vulnerable version as of 2026-02-16: 2026.2.14)
  • Patched versions: >= 2026.2.15

Fix

The workspace path is now sanitized before it is embedded into any LLM prompt output, stripping Unicode control/format characters and explicit line/paragraph separators. Workspace path resolution also applies the same sanitization as defense-in-depth.

Fix Commit(s)

  • 6254e96acf16e70ceccc8f9b2abecee44d606f79

Thanks @aether-ai-agent for reporting.

Severity ?
8.6 (High)
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T22:42:29Z",
    "nvd_published_at": "2026-02-20T00:16:16Z",
    "severity": "HIGH"
  },
  "details": "## Overview\nOpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters (for example newlines or Unicode bidi/zero-width markers), those characters could break the prompt structure and inject attacker-controlled instructions.\n\n## Impact\nPrompt injection may alter agent behavior and could lead to unintended tool use or disclosure of sensitive information.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Vulnerable versions: `\u003c 2026.2.15` (latest published vulnerable version as of 2026-02-16: `2026.2.14`)\n- Patched versions: `\u003e= 2026.2.15`\n\n## Fix\nThe workspace path is now sanitized before it is embedded into any LLM prompt output, stripping Unicode control/format characters and explicit line/paragraph separators. Workspace path resolution also applies the same sanitization as defense-in-depth.\n\n## Fix Commit(s)\n- `6254e96acf16e70ceccc8f9b2abecee44d606f79`\n\nThanks @aether-ai-agent for reporting.",
  "id": "GHSA-2qj5-gwg2-xwc4",
  "modified": "2026-02-20T16:46:56Z",
  "published": "2026-02-18T22:42:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2qj5-gwg2-xwc4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27001"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/6254e96acf16e70ceccc8f9b2abecee44d606f79"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Unsanitized CWD path injection into LLM prompts"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.