Description
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters (for example newlines or Unicode bidi/zero-width markers), those characters could break the prompt structure and inject attacker-controlled instructions. Starting in version 2026.2.15, the workspace path is sanitized before it is embedded into any LLM prompt output, stripping Unicode control/format characters and explicit line/paragraph separators. Workspace path resolution also applies the same sanitization as defense-in-depth.
Published: 2026-02-19
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Prompt Injection via Unsanitized Path
Action: Patch
AI Analysis

Impact

OpenClaw embedded the current working directory into the agent system prompt without sanitization. Because the directory name could contain control or format characters such as newlines or Unicode bidi/zero‑width markers, an attacker that can control the directory name can break the prompt structure and insert attacker‑controlled instructions. This form of flaw is an Input Injection (CWE‑77) that threatens the confidentiality and integrity of the AI assistant’s behavior, potentially allowing an attacker to direct the LLM to perform unintended actions.

Affected Systems

The vulnerability affects the OpenClaw personal AI assistant software before version 2026.2.15. All releases that embed the workspace path unsanitized are impacted. The affected platform is Node.js based, as indicated by the product metadata.

Risk and Exploitability

The CVSS base score of 8.6 classifies the flaw as high severity. The EPSS score is less than 1 %, implying a low likelihood of exploitation at the moment, and it is not listed in the CISA KEV catalog. The attack vector is inferred to require an attacker who can influence the working directory of the running OpenClaw process—typically a local or privileged user. If the attacker can induce the assistant to operate in a directory with crafted names, the unsanitized path will flow into the prompt and allow injection. No additional external access requirements are indicated in the description, so the main risk is local.

Generated by OpenCVE AI on April 18, 2026 at 11:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.15 or later where the workspace path is sanitized.
  • Ensure that the working directory used by OpenClaw does not contain control or format characters; avoid executing in directories with such characters.
  • As a temporary measure if an upgrade is not yet available, start OpenClaw from a safe, plain‑ASCII directory that does not include newlines or Unicode control markers.

Generated by OpenCVE AI on April 18, 2026 at 11:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2qj5-gwg2-xwc4 OpenClaw: Unsanitized CWD path injection into LLM prompts
History

Fri, 20 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw openclaw
Vendors & Products Openclaw
Openclaw openclaw

Thu, 19 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
Description OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters (for example newlines or Unicode bidi/zero-width markers), those characters could break the prompt structure and inject attacker-controlled instructions. Starting in version 2026.2.15, the workspace path is sanitized before it is embedded into any LLM prompt output, stripping Unicode control/format characters and explicit line/paragraph separators. Workspace path resolution also applies the same sanitization as defense-in-depth.
Title OpenClaw: Unsanitized CWD path injection into LLM prompts
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:38:14.649Z

Reserved: 2026-02-17T01:41:24.607Z

Link: CVE-2026-27001

cve-icon Vulnrichment

Updated: 2026-02-20T15:29:34.892Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T00:16:16.653

Modified: 2026-02-20T18:13:49.913

Link: CVE-2026-27001

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses