Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.8
OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection
CVE-2026-27009
GHSA-37gc-85xm-2ww6
Summary
## Summary
Stored XSS in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `<script>` tag without script-context-safe escaping. A crafted value containing `</script>` could break out of the script tag and execute attacker-controlled JavaScript in the Control UI o...
What to do
- Update steipete openclaw to version 2026.2.15.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.15 | 2026.2.15 |
| openclaw | openclaw | <= 2026.2.15 | – |
Original title
OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection
Original description
## Summary
Stored XSS in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `<script>` tag without script-context-safe escaping. A crafted value containing `</script>` could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.14`
- Fixed in: `>= 2026.2.15` (next release; fix is already merged on `main`)
## Details
The gateway Control UI HTML response previously injected `assistantName` and `assistantAvatar` directly into an inline `<script>` block using `JSON.stringify(...)`. `JSON.stringify` does not prevent `</script>` from terminating the script element, enabling stored XSS if an operator/admin sets the assistant identity to a malicious string.
OpenClaw’s Control UI is intended for local use only (see `SECURITY.md`); this advisory’s CVSS reflects a loopback-only/local-access deployment assumption.
## Impact
An attacker with the ability to set assistant identity values (config or agent identity) could cause JavaScript execution for Control UI visitors, enabling token/session theft and privileged actions in the UI.
## Fix
- Removed inline script injection and serve bootstrap config from a JSON endpoint.
- Added a restrictive Content Security Policy for the Control UI (`script-src 'self'`, no inline scripts).
## Fix Commit(s)
- `adc818db4a4b3b8d663e7674ef20436947514e1b`
- `3b4096e02e7e335f99f5986ec1bd566e90b14a7e`
## Release Process Note
This advisory pre-sets the patched version to the planned next release (`2026.2.15`). Once that version is published to npm, this advisory can be published without further edits.
Thanks @Adam55A-code for reporting.
Stored XSS in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `<script>` tag without script-context-safe escaping. A crafted value containing `</script>` could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.14`
- Fixed in: `>= 2026.2.15` (next release; fix is already merged on `main`)
## Details
The gateway Control UI HTML response previously injected `assistantName` and `assistantAvatar` directly into an inline `<script>` block using `JSON.stringify(...)`. `JSON.stringify` does not prevent `</script>` from terminating the script element, enabling stored XSS if an operator/admin sets the assistant identity to a malicious string.
OpenClaw’s Control UI is intended for local use only (see `SECURITY.md`); this advisory’s CVSS reflects a loopback-only/local-access deployment assumption.
## Impact
An attacker with the ability to set assistant identity values (config or agent identity) could cause JavaScript execution for Control UI visitors, enabling token/session theft and privileged actions in the UI.
## Fix
- Removed inline script injection and serve bootstrap config from a JSON endpoint.
- Added a restrictive Content Security Policy for the Control UI (`script-src 'self'`, no inline scripts).
## Fix Commit(s)
- `adc818db4a4b3b8d663e7674ef20436947514e1b`
- `3b4096e02e7e335f99f5986ec1bd566e90b14a7e`
## Release Process Note
This advisory pre-sets the patched version to the planned next release (`2026.2.15`). Once that version is published to npm, this advisory can be published without further edits.
Thanks @Adam55A-code for reporting.
nvd CVSS3.1
5.8
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/openclaw/openclaw/security/advisories/GHSA-37gc-85xm-2ww6 Exploit Vendor Advisory Patch
- https://nvd.nist.gov/vuln/detail/CVE-2026-27009
- https://github.com/advisories/GHSA-37gc-85xm-2ww6
- https://github.com/openclaw/openclaw/commit/3b4096e02e7e335f99f5986ec1bd566e90b1... Patch
- https://github.com/openclaw/openclaw/commit/adc818db4a4b3b8d663e7674ef2043694751... Patch
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.15 Product Release Notes
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026