CNNVD-202602-943 Information

CNNVD ID

CNNVD-202602-943

Related CVE

CVE-2026-25593

• CNNVD Published: 2026-02-06

Description (Chinese)

OpenClaw是openclaw开源的一个智能人工助理。 OpenClaw 2026.1.20之前版本存在访问控制错误漏洞，该漏洞源于未经身份验证的本地客户端可使用Gateway WebSocket API通过config.apply写入配置并设置不安全的cliPath值，这些值随后用于命令发现，可能导致以网关用户身份执行命令注入。

Description (English)

OpenClaw is an intellectual assistant at the OpenClaw Open Source. Before OpenClaw 2026.1.20, there was a bug in access control that resulted from the use of Gateway WebSocket API by uncertified local clients to configure and set unsafe cliPath values by config.apply, which were subsequently used for command detection, which could lead to command injection as a gateway user.

Hazard Level

High

Vulnerability Type

访问控制错误

Affected Vendor

openclaw

Published

2026-02-06

Last Modified

2026-02-24

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg https://access.redhat.com/security/cve/cve-2026-25593

Patch

https://openclaw.ai/