Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Command Injection in OpenClaw Gateway WebSocket API

IdentifiersCVE-2026-25593CWE-78· Improper Neutralization of Special…

CVE-2026-25593 is a command injection vulnerability in OpenClaw, a personal AI assistant, affecting versions prior to 2026.1.20. The flaw is in the Gateway WebSocket API, where an unauthenticated local client can invoke config.apply to write configuration values, including an unsafe cliPath. That cliPath is later consumed during command discovery without sufficient validation or sanitization, allowing attacker-controlled input to reach an OS command execution context. Successful exploitation results in arbitrary command execution as the OpenClaw gateway user.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated local attacker to execute arbitrary commands with the privileges of the OpenClaw gateway process user. This can lead to compromise of confidentiality, integrity, and availability for data and resources accessible to that account, including configuration tampering, data access, persistence, and potentially broader host compromise depending on the gateway user's privileges and environment.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict or disable access to the Gateway WebSocket API where feasible, enable gateway authentication, avoid custom or unsafe cliPath values, and limit local access to the host. Apply least privilege to the OpenClaw gateway account, use host-based controls or firewall rules to restrict access to configuration endpoints, and monitor for suspicious WebSocket activity, config.apply requests, cliPath modifications, and anomalous process creation from the gateway service.

Remediation

Patch, then assume compromise.

Upgrade OpenClaw to version 2026.1.20 or later, where the vulnerability is fixed. The fix reportedly adds proper validation and sanitization for configuration values passed through the Gateway WebSocket API. After upgrading, review OpenClaw configuration for unauthorized cliPath changes, audit logs for suspicious unauthenticated config.apply activity, and investigate unexpected child processes spawned by the gateway process.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
OpenclawOpenclawapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
cyberthroneNews
Mar 18, 2026
OpenClaw: The Open-Source AI Agent Rewriting the Threat Landscape - TheCyberThrone

One of several additional OpenClaw vulnerabilities mentioned as part of a broader stack of moderate- to high-severity flaws affecting the platform.

Read more
the hacker newsNews
Feb 28, 2026
ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket

One of several recently disclosed OpenClaw vulnerabilities, ranging from moderate to high severity, that could lead to serious impacts such as remote code execution, command injection, SSRF, authentication bypass, or path traversal.

Read more
cvefeed high severityNews
Feb 6, 2026
CVE-2026-25593 - OpenClaw Affected by Unauthenticated Local RCE via WebSocket config.apply

A local, unauthenticated command injection vulnerability in OpenClaw’s Gateway WebSocket API where an attacker can set an unsafe cliPath via config.apply, later leading to command execution as the gateway user.

Read more
sentinelone vulndbNews
Feb 6, 2026
CVE-2026-25593: OpenClaw AI Assistant RCE Vulnerability

A command injection vulnerability in OpenClaw's Gateway WebSocket API that allows an unauthenticated local client to set malicious cliPath values via config.apply, leading to arbitrary command execution with gateway user privileges.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-25593
NVD
nvd.nist.gov/vuln/detail/CVE-2026-25593
MITRE CWE · CWE-78
Improper Neutralization of Special Elements…
Vendor Advisory
github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg