CVE-2026-25593— OpenClaw 访问控制错误漏洞

OpenClaw Affected by Unauthenticated Local RCE via WebSocket config.apply

OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20.

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

OpenClaw 访问控制错误漏洞

OpenClaw是openclaw开源的一个智能人工助理。 OpenClaw 2026.1.20之前版本存在访问控制错误漏洞，该漏洞源于未经身份验证的本地客户端可使用Gateway WebSocket API通过config.apply写入配置并设置不安全的cliPath值，这些值随后用于命令发现，可能导致以网关用户身份执行命令注入。

N/A

N/A