CVE-2026-27001— OpenClaw: Unsanitized CWD path injection into LLM prompts
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-27001
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenClaw: Unsanitized CWD path injection into LLM prompts
Source: NVD (National Vulnerability Database)
Vulnerability Description
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters (for example newlines or Unicode bidi/zero-width markers), those characters could break the prompt structure and inject attacker-controlled instructions. Starting in version 2026.2.15, the workspace path is sanitized before it is embedded into any LLM prompt output, stripping Unicode control/format characters and explicit line/paragraph separators. Workspace path resolution also applies the same sanitization as defense-in-depth.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在命令中使用的特殊元素转义处理不恰当(命令注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenClaw 命令注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenClaw是openclaw开源的一个智能人工助理。 OpenClaw 2026.2.15之前版本存在命令注入漏洞,该漏洞源于工作区路径嵌入系统提示时清理不当,可能导致指令注入。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-27001
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-27001
请登录查看更多情报信息。
Same Patch Batch · openclaw · 2026-02-19 · 22 CVEs total
| CVE-2026-26322 | 7.6 HIGH | OpenClaw Gateway tool allowed unrestricted gatewayUrl override |
| CVE-2026-26316 | 7.5 HIGH | OpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust |
| CVE-2026-26319 | 7.5 HIGH | OpenClaw has Missing Webhook Authentication in Telnyx Provider Allowing Unauthenticated Re |
| CVE-2026-25474 | 7.5 HIGH | OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret` |
| CVE-2026-26321 | 7.5 HIGH | OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension |
| CVE-2026-26324 | 7.5 HIGH | OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reach |
| CVE-2026-26325 | 7.2 HIGH | OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals |
| CVE-2026-26317 | 7.1 HIGH | OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation e |
| CVE-2026-26972 | 6.7 MEDIUM | OpenClaw has a Path Traversal in Browser Download Functionality |
| CVE-2026-26328 | 6.5 MEDIUM | OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities |
| CVE-2026-27009 | 5.8 MEDIUM | OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inl |
| CVE-2026-26327 | OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning | |
| CVE-2026-26326 | OpenClaw skills.status could leak secrets to operator.read clients | |
| CVE-2026-26329 | OpenClaw has a path traversal in browser upload allows local file read | |
| CVE-2026-26323 | OpenClaw has a command injection in maintainer clawtributors updater | |
| CVE-2026-27002 | OpenClaw: Docker container escape via unvalidated bind mount config injection | |
| CVE-2026-27003 | OpenClaw: Telegram bot token exposure via logs | |
| CVE-2026-27004 | OpenClaw session tool visibility hardening and Telegram webhook secret fallback | |
| CVE-2026-27007 | OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container rec | |
| CVE-2026-27008 | OpenClaw hardened the skill download target directory validation |
Showing top 20 of 22 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: openclaw
- CVE-2026-44118
OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Tok - CVE-2026-44117
OpenClaw < 2026.4.20 - Server-Side Request Forgery in QQBot - CVE-2026-44116
OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo P - CVE-2026-44115
OpenClaw < 2026.4.22 - Shell Expansion Bypass in Unquoted He - CVE-2026-44114
OpenClaw < 2026.4.20 - Environment Variable Namespace Collis
Same vendor: openclaw
- CVE-2026-44118
OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Tok - CVE-2026-44117
OpenClaw < 2026.4.20 - Server-Side Request Forgery in QQBot - CVE-2026-44116
OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo P - CVE-2026-44115
OpenClaw < 2026.4.22 - Shell Expansion Bypass in Unquoted He - CVE-2026-44114
OpenClaw < 2026.4.20 - Environment Variable Namespace Collis
Same weakness: CWE-77
- CVE-2026-8210
aandrew-me tgpt Update helper.go helper.Update command injec - CVE-2026-42258
net-imap: Command Injection via unvalidated Symbol inputs - CVE-2026-42453
Termix: Command injection in extractArchive/compressFiles vi - CVE-2026-42271
LiteLLM: Authenticated command execution via MCP stdio test - CVE-2026-41500
electerm has Command Injection Vulnerability via runMac func
V. Comments for CVE-2026-27001
No comments yet