CVE-2026-27001

OpenClaw: Unsanitized CWD path injection into LLM prompts

CVSS 8.6 HIGHEPSS 0.2%CWE-77

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.6EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

19 Feb 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters (for example newlines or Unicode bidi/zero-width markers), those characters could break the prompt structure and inject attacker-controlled instructions. Starting in version 2026.2.15, the workspace path is sanitized before it is embedded into any LLM prompt output, stripping Unicode control/format characters and explicit line/paragraph separators. Workspace path resolution also applies the same sanitization as defense-in-depth.

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

openclaw · openclaw

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openclaw/openclaw/commit/6254e96acf16e70ceccc8f9b2abecee44d606f79 https://github.com/openclaw/openclaw/releases/tag/v2026.2.15 https://github.com/openclaw/openclaw/security/advisories/GHSA-2qj5-gwg2-xwc4