Description
OpenClaw is a personal AI assistant. OpenClaw macOS desktop client registers the `openclaw://` URL scheme. For `openclaw://agent` deep links without an unattended `key`, the app shows a confirmation dialog that previously displayed only the first 240 characters of the message, but executed the full message after the user clicked "Run." At the time of writing, the OpenClaw macOS desktop client is still in beta. In versions 2026.2.6 through 2026.2.13, an attacker could pad the message with whitespace to push a malicious payload outside the visible preview, increasing the chance a user approves a different message than the one that is actually executed. If a user runs the deep link, the agent may perform actions that can lead to arbitrary command execution depending on the user's configured tool approvals/allowlists. This is a social-engineering mediated vulnerability: the confirmation prompt could be made to misrepresent the executed message. The issue is fixed in 2026.2.14. Other mitigations include not approve unexpected "Run OpenClaw agent?" prompts triggered while browsing untrusted sites and usingunattended deep links only with a valid `key` for trusted personal automations.
Published: 2026-02-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Misleading confirmation triggers arbitrary command execution
Action: Patch
AI Analysis

Impact

The flaw lies in the OpenClaw macOS client’s handling of openclaw://agent deep links that omit an unattended key. The confirmation dialog only shows the first 240 characters of the proposed message, but the entire message is executed when the user presses “Run.” By padding the message with whitespace, an attacker can place a malicious payload outside the displayed preview, causing the user to approve a benign snippet while a harmful command is actually carried out. Because the agent can invoke arbitrary tools that the user has enabled, this breach can lead to the execution of commands with the user’s privileges, as reflected in the CVSS score of 7.1.

Affected Systems

OpenClaw desktop client for macOS (openclaw:openclaw). Versions 2026.2.6 through 2026.2.13 are vulnerable. The issue was addressed in release 2026.2.14.

Risk and Exploitability

The exploit requires a user to click the confirmation dialog triggered by a crafted deep link, making it a social‑engineering attack. The low EPSS score (<1%) indicates that widespread automated exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the impact is significant if a privileged user approves a malicious command. No requirement for elevated OS privileges means local users can be affected; the ability to execute arbitrary commands depends on the tool approvals configured in the OpenClaw agent.

Generated by OpenCVE AI on April 17, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided update to version 2026.2.14 or later.
  • Disallow or dismiss unprompted “Run OpenClaw agent?” requests that originate during browsing of untrusted sites.
  • Configure unattended deep links to require a valid key, limiting their usage to trusted personal automations.

Generated by OpenCVE AI on April 17, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7q2j-c4q5-rm27 OpenClaw macOS deep link confirmation truncation can conceal executed agent message
History

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw openclaw
Vendors & Products Openclaw
Openclaw openclaw

Thu, 19 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
Description OpenClaw is a personal AI assistant. OpenClaw macOS desktop client registers the `openclaw://` URL scheme. For `openclaw://agent` deep links without an unattended `key`, the app shows a confirmation dialog that previously displayed only the first 240 characters of the message, but executed the full message after the user clicked "Run." At the time of writing, the OpenClaw macOS desktop client is still in beta. In versions 2026.2.6 through 2026.2.13, an attacker could pad the message with whitespace to push a malicious payload outside the visible preview, increasing the chance a user approves a different message than the one that is actually executed. If a user runs the deep link, the agent may perform actions that can lead to arbitrary command execution depending on the user's configured tool approvals/allowlists. This is a social-engineering mediated vulnerability: the confirmation prompt could be made to misrepresent the executed message. The issue is fixed in 2026.2.14. Other mitigations include not approve unexpected "Run OpenClaw agent?" prompts triggered while browsing untrusted sites and usingunattended deep links only with a valid `key` for trusted personal automations.
Title OpenClaw macOS deep link confirmation truncation can conceal executed agent message
Weaknesses CWE-451
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Apple Macos
Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:41:16.051Z

Reserved: 2026-02-13T16:27:51.808Z

Link: CVE-2026-26320

cve-icon Vulnrichment

Updated: 2026-02-20T15:32:03.967Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T23:16:25.017

Modified: 2026-02-20T19:09:57.850

Link: CVE-2026-26320

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:00:12Z

Weaknesses