CVE-2026-26320— OpenClaw macOS deep link confirmation truncation can conceal executed agent message
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-26320
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenClaw macOS deep link confirmation truncation can conceal executed agent message
Source: NVD (National Vulnerability Database)
Vulnerability Description
OpenClaw is a personal AI assistant. OpenClaw macOS desktop client registers the `openclaw://` URL scheme. For `openclaw://agent` deep links without an unattended `key`, the app shows a confirmation dialog that previously displayed only the first 240 characters of the message, but executed the full message after the user clicked "Run." At the time of writing, the OpenClaw macOS desktop client is still in beta. In versions 2026.2.6 through 2026.2.13, an attacker could pad the message with whitespace to push a malicious payload outside the visible preview, increasing the chance a user approves a different message than the one that is actually executed. If a user runs the deep link, the agent may perform actions that can lead to arbitrary command execution depending on the user's configured tool approvals/allowlists. This is a social-engineering mediated vulnerability: the confirmation prompt could be made to misrepresent the executed message. The issue is fixed in 2026.2.14. Other mitigations include not approve unexpected "Run OpenClaw agent?" prompts triggered while browsing untrusted sites and usingunattended deep links only with a valid `key` for trusted personal automations.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
关键信息的UI错误表达
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenClaw 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenClaw是openclaw开源的一个智能人工助理。 OpenClaw 2026.2.6版本至2026.2.13版本存在安全漏洞,该漏洞源于openclaw://agent深度链接的确认对话框仅显示消息的前240个字符,但执行完整消息,攻击者可通过填充空格将恶意有效载荷推至可见预览之外,增加用户批准与实际执行不同消息的风险,可能导致任意命令执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-26320
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-26320
请登录查看更多情报信息。
Same Patch Batch · openclaw · 2026-02-19 · 22 CVEs total
| CVE-2026-26322 | 7.6 HIGH | OpenClaw Gateway tool allowed unrestricted gatewayUrl override |
| CVE-2026-26316 | 7.5 HIGH | OpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust |
| CVE-2026-26319 | 7.5 HIGH | OpenClaw has Missing Webhook Authentication in Telnyx Provider Allowing Unauthenticated Re |
| CVE-2026-26321 | 7.5 HIGH | OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension |
| CVE-2026-25474 | 7.5 HIGH | OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret` |
| CVE-2026-26324 | 7.5 HIGH | OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reach |
| CVE-2026-26325 | 7.2 HIGH | OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals |
| CVE-2026-26317 | 7.1 HIGH | OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation e |
| CVE-2026-26972 | 6.7 MEDIUM | OpenClaw has a Path Traversal in Browser Download Functionality |
| CVE-2026-26328 | 6.5 MEDIUM | OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities |
| CVE-2026-27009 | 5.8 MEDIUM | OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inl |
| CVE-2026-26327 | OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning | |
| CVE-2026-26329 | OpenClaw has a path traversal in browser upload allows local file read | |
| CVE-2026-26326 | OpenClaw skills.status could leak secrets to operator.read clients | |
| CVE-2026-27001 | OpenClaw: Unsanitized CWD path injection into LLM prompts | |
| CVE-2026-27002 | OpenClaw: Docker container escape via unvalidated bind mount config injection | |
| CVE-2026-27003 | OpenClaw: Telegram bot token exposure via logs | |
| CVE-2026-27004 | OpenClaw session tool visibility hardening and Telegram webhook secret fallback | |
| CVE-2026-27007 | OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container rec | |
| CVE-2026-27008 | OpenClaw hardened the skill download target directory validation |
Showing top 20 of 22 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: openclaw
- CVE-2026-44118
OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Tok - CVE-2026-44117
OpenClaw < 2026.4.20 - Server-Side Request Forgery in QQBot - CVE-2026-44116
OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo P - CVE-2026-44115
OpenClaw < 2026.4.22 - Shell Expansion Bypass in Unquoted He - CVE-2026-44114
OpenClaw < 2026.4.20 - Environment Variable Namespace Collis
Same vendor: openclaw
- CVE-2026-44118
OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Tok - CVE-2026-44116
OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo P - CVE-2026-44117
OpenClaw < 2026.4.20 - Server-Side Request Forgery in QQBot - CVE-2026-44115
OpenClaw < 2026.4.22 - Shell Expansion Bypass in Unquoted He - CVE-2026-44114
OpenClaw < 2026.4.20 - Environment Variable Namespace Collis
Same weakness: CWE-451
- CVE-2026-35371
uutils coreutils id Misleading Identity Reporting in Pretty - CVE-2026-33118
Microsoft Edge (Chromium-based) Spoofing Vulnerability - CVE-2026-33119
Microsoft Edge (Chromium-based) for Android Spoofing Vulnera - CVE-2026-32971
OpenClaw < 2026.3.11 - Node-Host Approval UI Mismatch Allows - CVE-2026-0385
Microsoft Edge (Chromium-based) for Android Spoofing Vulnera
V. Comments for CVE-2026-26320
No comments yet