CVE-2026-27001
Published: 20 February 2026
Summary
CVE-2026-27001 is a high-severity Command Injection (CWE-77) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Content Injection (T1659); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validating inputs such as the unsanitized workspace path to strip control and format characters before embedding into LLM prompts, directly preventing prompt injection.
SI-15 mandates filtering the LLM system prompt output to remove disruptive characters from the embedded workspace path, blocking attacker-controlled instruction injection.
SI-9 enforces restrictions on information inputs like directory paths to limit harmful control characters such as newlines or Unicode markers that enable prompt structure disruption.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables injection of attacker-controlled instructions into the LLM system prompt via unsanitized workspace path embedding (using control/format characters), matching content injection behavior.
NVD Description
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format…
more
characters (for example newlines or Unicode bidi/zero-width markers), those characters could break the prompt structure and inject attacker-controlled instructions. Starting in version 2026.2.15, the workspace path is sanitized before it is embedded into any LLM prompt output, stripping Unicode control/format characters and explicit line/paragraph separators. Workspace path resolution also applies the same sanitization as defense-in-depth.
Deeper analysisAI
CVE-2026-27001 is a vulnerability in OpenClaw, a personal AI assistant, affecting versions prior to 2026.2.15. The issue arises from embedding the current working directory, or workspace path, into the agent system prompt without sanitization. Directory names containing control or format characters, such as newlines or Unicode bidi/zero-width markers, can disrupt the prompt structure and enable injection of attacker-controlled instructions. It is associated with CWE-77 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by running OpenClaw within a directory whose name includes malicious control or format characters. This allows the characters to break the intended prompt format, injecting arbitrary instructions into the LLM processing. Successful exploitation can result in high impacts to confidentiality, integrity, and availability.
Mitigation is addressed in the OpenClaw GitHub security advisory (GHSA-2qj5-gwg2-xwc4), commit 6254e96acf16e70ceccc8f9b2abecee44d606f79, and release v2026.2.15. Starting with version 2026.2.15, the workspace path is sanitized prior to embedding in any LLM prompt output by stripping Unicode control/format characters and explicit line/paragraph separators. Workspace path resolution also incorporates the same sanitization as a defense-in-depth measure; users are advised to upgrade immediately.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, llm