Cyber Resilience

CVE-2026-25593

High

Published: 06 February 2026

Published
06 February 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0064 45.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25593 is a high-severity OS Command Injection (CWE-78) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 45.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25593 is a command injection vulnerability in OpenClaw, a personal AI assistant, affecting versions prior to 2026.1.20. The issue stems from the Gateway WebSocket API, where an unauthenticated local client can invoke the config.apply endpoint to write configuration data containing unsafe cliPath values. These values are later utilized during command discovery, enabling arbitrary command injection executed as the gateway user. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-306 (Missing Authentication for Critical Function).

A local attacker without authentication or privileges can exploit this by establishing a WebSocket connection to the Gateway API and submitting a malicious config.apply payload with a crafted cliPath. This leads to command injection when the gateway processes the configuration for command discovery, allowing the attacker to execute arbitrary OS commands as the gateway user. Successful exploitation grants high-impact control over confidentiality, integrity, and availability on the host system.

The vulnerability is addressed in OpenClaw version 2026.1.20. Practitioners should upgrade to this patched release to mitigate the issue. Additional details are available in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as…

more

the gateway user. This vulnerability is fixed in 2026.1.20.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Command injection (CWE-78) in unauthenticated local Gateway API config path directly enables arbitrary OS command execution (T1059) and exploitation of the software vulnerability to escalate from no privileges to gateway-user context (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24763Same product: Openclaw Openclaw
CVE-2026-34426Same product: Openclaw Openclaw
CVE-2026-32014Same product: Openclaw Openclaw
CVE-2026-29607Same product: Openclaw Openclaw
CVE-2026-28470Same product: Openclaw Openclaw
CVE-2026-33573Same product: Openclaw Openclaw
CVE-2026-26325Same product: Openclaw Openclaw
CVE-2026-28473Same product: Openclaw Openclaw
CVE-2026-42429Same product: Openclaw Openclaw
CVE-2026-33579Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.1.20

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Addresses missing authentication for critical config.apply function by identifying, authorizing, and aborting unauthorized unauthenticated actions on the Gateway WebSocket API.

prevent

Prevents command injection vulnerability (CWE-78) by validating and sanitizing unsafe cliPath inputs used in command discovery.

prevent

Mitigates the specific flaw by requiring ongoing monitoring, scanning, and timely patching to the fixed OpenClaw version 2026.1.20.

References