Primary

Context

OpenClaw Command Injection Vulnerability via WebSocket Gateway API

Vulnerability

A command injection vulnerability has been identified in OpenClaw, a personal AI assistant, in versions prior to 2026.1.20. The issue allows an unauthenticated local client to exploit the Gateway WebSocket API by writing configuration data through the 'config.apply' method. This data could include unsafe 'cliPath' values that were subsequently used for command discovery, enabling the execution of arbitrary commands as the gateway user.

Impact

Exploitation of this vulnerability allows a local process to execute arbitrary commands as the user running the gateway process.

Remediation

Users are advised to upgrade to version 2026.1.20 or later. If an immediate upgrade is not possible, set 'gateway.auth' and avoid using custom 'cliPath' values.

Added: Feb 6, 2026, 9:27 PM

Updated: Feb 6, 2026, 11:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.3

remediation

0.0

relevance

2.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.3

remediation

0.0

relevance

2.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Command Injection Vulnerability via WebSocket Gateway API

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating