Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.1
OpenClaw Data Logging Error Puts Gateway at Risk
GHSA-g27f-9qjv-22pm
Summary
OpenClaw, a gateway software, has a problem with how it logs certain data from WebSocket connections. This could allow an attacker to inject malicious data into the logs, which could then be used to trick AI-powered tools into executing unintended actions. To fix this, update OpenClaw to version 2026.2.13 or later, or treat logs as untrusted input when using AI-assisted debugging.
What to do
- Update steipete openclaw to version 2026.2.13.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.13 | 2026.2.13 |
Original title
OpenClaw log poisoning (indirect prompt injection) via WebSocket headers
Original description
### Summary
In `openclaw` versions prior to `2026.2.13`, OpenClaw logged certain WebSocket request headers (including `Origin` and `User-Agent`) without neutralization or length limits on the "closed before connect" path.
If an unauthenticated client can reach the gateway and send crafted header values, those values may be written into core logs. Under workflows where logs are later read or interpreted by an LLM (for example via AI-assisted debugging), this can increase the risk of indirect prompt injection (log poisoning).
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.12`
- Fixed: `>= 2026.2.13`
### Details
- Component: `src/gateway/server/ws-connection.ts`
- Trigger: WebSocket connection closes before completing the connect/handshake; header values are included in the log message and structured context.
### Impact
This issue is primarily an indirect prompt injection risk and depends on downstream log consumption behavior. If you do not feed logs into an LLM or other automation, impact is limited.
### Fix
Header values written to gateway logs are now sanitized and truncated (including removal of control/format characters and length limiting).
- Fix commits: `d637a263505448bf4505b85535babbfaacedbaac`, `e84318e4bcdc948d92e57fda1eb763a65e1774f0` (PR #15592)
### Workarounds
- Upgrade to `[email protected]` or later.
- Treat logs as untrusted input when using AI-assisted debugging (sanitize/escape, and do not auto-execute instructions derived from logs).
- Restrict gateway network exposure; apply reverse-proxy limits on header size where applicable.
Thanks @pkerkhofs for reporting.
In `openclaw` versions prior to `2026.2.13`, OpenClaw logged certain WebSocket request headers (including `Origin` and `User-Agent`) without neutralization or length limits on the "closed before connect" path.
If an unauthenticated client can reach the gateway and send crafted header values, those values may be written into core logs. Under workflows where logs are later read or interpreted by an LLM (for example via AI-assisted debugging), this can increase the risk of indirect prompt injection (log poisoning).
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.12`
- Fixed: `>= 2026.2.13`
### Details
- Component: `src/gateway/server/ws-connection.ts`
- Trigger: WebSocket connection closes before completing the connect/handshake; header values are included in the log message and structured context.
### Impact
This issue is primarily an indirect prompt injection risk and depends on downstream log consumption behavior. If you do not feed logs into an LLM or other automation, impact is limited.
### Fix
Header values written to gateway logs are now sanitized and truncated (including removal of control/format characters and length limiting).
- Fix commits: `d637a263505448bf4505b85535babbfaacedbaac`, `e84318e4bcdc948d92e57fda1eb763a65e1774f0` (PR #15592)
### Workarounds
- Upgrade to `[email protected]` or later.
- Treat logs as untrusted input when using AI-assisted debugging (sanitize/escape, and do not auto-execute instructions derived from logs).
- Restrict gateway network exposure; apply reverse-proxy limits on header size where applicable.
Thanks @pkerkhofs for reporting.
ghsa CVSS3.1
3.1
Vulnerability type
CWE-117
- https://github.com/openclaw/openclaw/security/advisories/GHSA-g27f-9qjv-22pm
- https://github.com/openclaw/openclaw/pull/15592
- https://github.com/openclaw/openclaw/commit/d637a263505448bf4505b85535babbfaaced...
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.13
- https://github.com/advisories/GHSA-g27f-9qjv-22pm
Published: 17 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026