Description
A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to execute arbitrary code via a Request-Side prompt injection attack.
Published: 2026-03-11
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The OpenClaw Agent Platform v2026.2.6 contains a remote code execution vulnerability caused by a request‑side prompt injection flaw. An attacker can manipulate input sent to the platform, causing the executed server‑side code to run arbitrary commands. This flaw maps to CWE‑94, representing code injection. The consequence is full compromise of the affected host, allowing the attacker to gain unrestricted access, install malware, and exfiltrate data.

Affected Systems

Affected systems are those running OpenClaw Agent Platform version 2026.2.6. The product is identified by the CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*. No other vendors or products are listed or affected.

Risk and Exploitability

The CVSS base score is 9.8, indicating critical severity. The EPSS score is below 1%, suggesting low current exploitation probability, but the flaw remains a top‑priority vulnerability. The issue is not listed in the CISA KEV catalog. Attackers would need network access to the vulnerable endpoint that accepts user input for the prompt injection; exploitation would be remote and requires no authentication.

Generated by OpenCVE AI on March 17, 2026 at 17:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch or upgrade OpenClaw Agent Platform to a non‑vulnerable version.
  • If a patch is not yet available, block external access to the vulnerable service with a firewall or isolate the affected host from the network.
  • Verify that the patch or workaround has been applied and monitor for any anomalous activity.

Generated by OpenCVE AI on March 17, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Request‑Side Prompt Injection in OpenClaw Agent Platform v2026.2.6

Tue, 17 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw openclaw
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw openclaw

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw agent Platform
Vendors & Products Openclaw
Openclaw agent Platform

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to execute arbitrary code via a Request-Side prompt injection attack.
References

Subscriptions

Openclaw Agent Platform Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-12T14:27:31.142Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30741

cve-icon Vulnrichment

Updated: 2026-03-12T14:27:24.950Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T16:16:41.530

Modified: 2026-03-17T15:51:41.187

Link: CVE-2026-30741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:33:41Z

Weaknesses