CVE-2026-25593
Published: 06 February 2026
Summary
CVE-2026-25593 is a high-severity OS Command Injection (CWE-78) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Addresses missing authentication for critical config.apply function by identifying, authorizing, and aborting unauthorized unauthenticated actions on the Gateway WebSocket API.
Prevents command injection vulnerability (CWE-78) by validating and sanitizing unsafe cliPath inputs used in command discovery.
Mitigates the specific flaw by requiring ongoing monitoring, scanning, and timely patching to the fixed OpenClaw version 2026.1.20.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection (CWE-78) in unauthenticated local Gateway API config path directly enables arbitrary OS command execution (T1059) and exploitation of the software vulnerability to escalate from no privileges to gateway-user context (T1068).
NVD Description
OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as…
more
the gateway user. This vulnerability is fixed in 2026.1.20.
Deeper analysisAI
CVE-2026-25593 is a command injection vulnerability in OpenClaw, a personal AI assistant, affecting versions prior to 2026.1.20. The issue stems from the Gateway WebSocket API, where an unauthenticated local client can invoke the config.apply endpoint to write configuration data containing unsafe cliPath values. These values are later utilized during command discovery, enabling arbitrary command injection executed as the gateway user. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-306 (Missing Authentication for Critical Function).
A local attacker without authentication or privileges can exploit this by establishing a WebSocket connection to the Gateway API and submitting a malicious config.apply payload with a crafted cliPath. This leads to command injection when the gateway processes the configuration for command discovery, allowing the attacker to execute arbitrary OS commands as the gateway user. Successful exploitation grants high-impact control over confidentiality, integrity, and availability on the host system.
The vulnerability is addressed in OpenClaw version 2026.1.20. Practitioners should upgrade to this patched release to mitigate the issue. Additional details are available in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai