OpenClaw, a personal AI assistant, suffered a stored cross‑site scripting vulnerability in its Control UI. Prior to version 2026.2.15 the assistant identity (name and avatar) was rendered directly into an inline <script> tag without context‑safe escaping. A malicious value containing the sequence </script> can terminate the tag and inject arbitrary JavaScript that runs in the context of the Control UI origin, potentially allowing an attacker to steal authentication tokens, perform phishing, or manipulate the application. The weakness is classified as CWE‑79 and is exploitable whenever an attacker can create or modify an assistant entry.

All OpenClaw installations running a pre‑2026.2.15 build are vulnerable. The issue affects the OpenClaw product deployed with any node.js runtime. The vulnerability is present in all earlier releases up to, but not including, the 2026.2.15 version, which is the first release to address the flaw.

The CVSS score of 5.8 indicates a moderate severity. EPSS shows a probability of less than 1 %, suggesting low but nonzero likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, implying that known exploits are not publicly confirmed. Exploitation requires the attacker to insert a crafted assistant name or avatar that contains a closing script tag; from that point, any user who visits the Control UI will have the attacker's JavaScript executed in the page’s origin. The attack vector appears to be local to the Control UI—an attacker who can configure or alter assistant identities can trigger the injection, but remote execution from arbitrary users is unlikely without such access.