Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.6
OpenClaw: Malicious Directory Names Can Hijack Agent Behavior
CVE-2026-27001
GHSA-2qj5-gwg2-xwc4
Summary
The OpenClaw software does not properly check the name of the directory where it's running. If an attacker puts malicious characters in the directory name, they can trick OpenClaw into executing unintended commands or revealing sensitive information. Update OpenClaw to version 2026.2.15 or later to fix this issue.
What to do
- Update steipete openclaw to version 2026.2.15.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.15 | 2026.2.15 |
| openclaw | openclaw | <= 2026.2.15 | – |
Original title
OpenClaw: Unsanitized CWD path injection into LLM prompts
Original description
## Overview
OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters (for example newlines or Unicode bidi/zero-width markers), those characters could break the prompt structure and inject attacker-controlled instructions.
## Impact
Prompt injection may alter agent behavior and could lead to unintended tool use or disclosure of sensitive information.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable versions: `< 2026.2.15` (latest published vulnerable version as of 2026-02-16: `2026.2.14`)
- Patched versions: `>= 2026.2.15`
## Fix
The workspace path is now sanitized before it is embedded into any LLM prompt output, stripping Unicode control/format characters and explicit line/paragraph separators. Workspace path resolution also applies the same sanitization as defense-in-depth.
## Fix Commit(s)
- `6254e96acf16e70ceccc8f9b2abecee44d606f79`
Thanks @aether-ai-agent for reporting.
OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters (for example newlines or Unicode bidi/zero-width markers), those characters could break the prompt structure and inject attacker-controlled instructions.
## Impact
Prompt injection may alter agent behavior and could lead to unintended tool use or disclosure of sensitive information.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable versions: `< 2026.2.15` (latest published vulnerable version as of 2026-02-16: `2026.2.14`)
- Patched versions: `>= 2026.2.15`
## Fix
The workspace path is now sanitized before it is embedded into any LLM prompt output, stripping Unicode control/format characters and explicit line/paragraph separators. Workspace path resolution also applies the same sanitization as defense-in-depth.
## Fix Commit(s)
- `6254e96acf16e70ceccc8f9b2abecee44d606f79`
Thanks @aether-ai-agent for reporting.
nvd CVSS3.1
7.8
nvd CVSS4.0
8.6
Vulnerability type
CWE-77
Command Injection
- https://nvd.nist.gov/vuln/detail/CVE-2026-27001
- https://github.com/advisories/GHSA-2qj5-gwg2-xwc4
- https://github.com/openclaw/openclaw/commit/6254e96acf16e70ceccc8f9b2abecee44d60... Patch
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.15 Product Release Notes
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2qj5-gwg2-xwc4 Vendor Advisory Patch
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026