Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.3
OpenClaw's debug mode can be tricked into accepting unauthorized overrides
GHSA-62f6-mrcj-v8h5
CVE-2026-27524
Summary
OpenClaw's debug mode allows someone with permission to make changes to bypass some security restrictions. This can't be exploited by anyone without already having access to the debug mode. However, it's still a good idea to update to the latest version of OpenClaw as soon as possible to address this issue. Update to version 2026.2.21 or later to fix the problem.
What to do
- Update steipete openclaw to version 2026.2.21.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.21 | 2026.2.21 |
Original title
OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override object values, allowing prototype pollution attacks. Authorized /debug set callers can inject __pr...
Original description
OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override object values, allowing prototype pollution attacks. Authorized /debug set callers can inject __proto__, constructor, or prototype keys to manipulate object prototypes and bypass command gate restrictions.
osv CVSS4.0
6.3
Vulnerability type
CWE-1321
Prototype Pollution
Published: 18 Mar 2026 · Updated: 18 Mar 2026 · First seen: 18 Mar 2026