{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27009", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-17T03:08:23.489Z", "datePublished": "2026-02-19T23:25:41.111Z", "dateUpdated": "2026-02-20T15:36:57.938Z"}, "containers": {"cna": {"title": "OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openclaw/openclaw/security/advisories/GHSA-37gc-85xm-2ww6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-37gc-85xm-2ww6"}, {"name": "https://github.com/openclaw/openclaw/commit/3b4096e02e7e335f99f5986ec1bd566e90b14a7e", "tags": ["x_refsource_MISC"], "url": "https://github.com/openclaw/openclaw/commit/3b4096e02e7e335f99f5986ec1bd566e90b14a7e"}, {"name": "https://github.com/openclaw/openclaw/commit/adc818db4a4b3b8d663e7674ef20436947514e1b", "tags": ["x_refsource_MISC"], "url": "https://github.com/openclaw/openclaw/commit/adc818db4a4b3b8d663e7674ef20436947514e1b"}, {"name": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15", "tags": ["x_refsource_MISC"], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15"}], "affected": [{"vendor": "openclaw", "product": "openclaw", "versions": [{"version": "< 2026.2.15", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T23:25:41.111Z"}, "descriptions": [{"lang": "en", "value": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `<script>` tag without script-context-safe escaping. A crafted value containing `</script>` could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Version 2026.2.15 removed inline script injection and serve bootstrap config from a JSON endpoint and added a restrictive Content Security Policy for the Control UI (`script-src 'self'`, no inline scripts)."}], "source": {"advisory": "GHSA-37gc-85xm-2ww6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T15:29:24.166626Z", "id": "CVE-2026-27009", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T15:36:57.938Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27009", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-20T15:29:24.166626Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T15:29:25.780Z"}}], "cna": {"title": "OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection", "source": {"advisory": "GHSA-37gc-85xm-2ww6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openclaw", "product": "openclaw", "versions": [{"status": "affected", "version": "< 2026.2.15"}]}], "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-37gc-85xm-2ww6", "name": "https://github.com/openclaw/openclaw/security/advisories/GHSA-37gc-85xm-2ww6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openclaw/openclaw/commit/3b4096e02e7e335f99f5986ec1bd566e90b14a7e", "name": "https://github.com/openclaw/openclaw/commit/3b4096e02e7e335f99f5986ec1bd566e90b14a7e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openclaw/openclaw/commit/adc818db4a4b3b8d663e7674ef20436947514e1b", "name": "https://github.com/openclaw/openclaw/commit/adc818db4a4b3b8d663e7674ef20436947514e1b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15", "name": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `<script>` tag without script-context-safe escaping. A crafted value containing `</script>` could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Version 2026.2.15 removed inline script injection and serve bootstrap config from a JSON endpoint and added a restrictive Content Security Policy for the Control UI (`script-src 'self'`, no inline scripts)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T23:25:41.111Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27009", "state": "PUBLISHED", "dateUpdated": "2026-02-20T15:36:57.938Z", "dateReserved": "2026-02-17T03:08:23.489Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T23:25:41.111Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "3CD9AC99-DDDF-4177-9253-04A63CA027DC", "versionEndExcluding": "2026.2.15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `<script>` tag without script-context-safe escaping. A crafted value containing `</script>` could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Version 2026.2.15 removed inline script injection and serve bootstrap config from a JSON endpoint and added a restrictive Content Security Policy for the Control UI (`script-src 'self'`, no inline scripts)."}], "id": "CVE-2026-27009", "lastModified": "2026-02-20T17:41:44.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-20T00:16:17.620", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openclaw/openclaw/commit/3b4096e02e7e335f99f5986ec1bd566e90b14a7e"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openclaw/openclaw/commit/adc818db4a4b3b8d663e7674ef20436947514e1b"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Patch"], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-37gc-85xm-2ww6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.2.15)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openclaw", "source": "cna", "vendor": "openclaw"}, "product": "openclaw", "vendor": "openclaw"}], "analysis": {"en": {"generated_at": "2026-04-18T11:38:57.391050+00:00", "value": {"mitigation_remediation": ["Upgrade OpenClaw to version 2026.2.15 or later, which removes inline script injection and enforces a strict CSP.", "If an immediate upgrade is not possible, avoid using or applying any assistant configurations that contain untrusted or custom names or avatars.", "Configure the Control UI to disallow inline scripts and enforce a CSP such as \"script-src 'self'\" in your host environment."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting on the Control UI"}, "threat_synthesis": {"affected_systems": "All OpenClaw installations running a pre\u20112026.2.15 build are vulnerable. The issue affects the OpenClaw product deployed with any node.js runtime. The vulnerability is present in all earlier releases up to, but not including, the 2026.2.15 version, which is the first release to address the flaw.", "description_and_impact": "OpenClaw, a personal AI assistant, suffered a stored cross\u2011site scripting vulnerability in its Control UI. Prior to version\u202f2026.2.15 the assistant identity (name and avatar) was rendered directly into an inline <script> tag without context\u2011safe escaping. A malicious value containing the sequence </script> can terminate the tag and inject arbitrary JavaScript that runs in the context of the Control UI origin, potentially allowing an attacker to steal authentication tokens, perform phishing, or manipulate the application. The weakness is classified as CWE\u201179 and is exploitable whenever an attacker can create or modify an assistant entry.", "risk_and_exploitability": "The CVSS score of 5.8 indicates a moderate severity. EPSS shows a probability of less than 1\u202f%, suggesting low but nonzero likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, implying that known exploits are not publicly confirmed. Exploitation requires the attacker to insert a crafted assistant name or avatar that contains a closing script tag; from that point, any user who visits the Control UI will have the attacker's JavaScript executed in the page\u2019s origin. The attack vector appears to be local to the Control UI\u2014an attacker who can configure or alter assistant identities can trigger the injection, but remote execution from arbitrary users is unlikely without such access."}}}}, "created": "2026-02-20T09:53:19.116198+00:00", "updated": "2026-04-18T11:45:44.595126+00:00", "vendors": ["openclaw", "openclaw$PRODUCT$openclaw"]}