CVE-2026-27001 Overview
OpenClaw is a personal AI assistant application. Prior to version 2026.2.15, a critical prompt injection vulnerability existed in how OpenClaw handled workspace directory paths. The application embedded the current working directory (workspace path) into the agent system prompt without proper sanitization, allowing attackers to inject malicious instructions into LLM prompts through specially crafted directory names containing control characters, newlines, or Unicode manipulation markers.
Critical Impact
Attackers can manipulate AI assistant behavior by injecting arbitrary instructions through maliciously named directories, potentially leading to unauthorized actions, data exfiltration, or complete compromise of the AI agent's integrity.
Affected Products
- OpenClaw versions prior to 2026.2.15
- OpenClaw Node.js package (all vulnerable versions)
- Any deployment using unsanitized workspace path embedding in LLM prompts
Discovery Timeline
- 2026-02-20 - CVE-2026-27001 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-27001
Vulnerability Analysis
This vulnerability represents a command injection flaw (CWE-77) specific to LLM-based applications. The core issue stems from OpenClaw's failure to sanitize the workspace path before embedding it into system prompts sent to the language model. When an attacker can influence or create a directory with a maliciously crafted name, they can break the intended prompt structure and inject arbitrary instructions that the AI assistant will interpret as legitimate commands.
The attack leverages Unicode control characters, bidirectional text markers, zero-width characters, and line separators to escape the intended context within the prompt template. This allows an attacker to effectively "speak as the system" to the LLM, bypassing any user-level restrictions or safety guardrails that depend on prompt structure integrity.
Root Cause
The root cause is the lack of input sanitization when embedding runtime-derived strings (specifically the workspace directory path) into LLM prompts. The vulnerable code path directly interpolated the workspace path into the system prompt without filtering dangerous Unicode categories including:
- Control characters (Unicode category Cc) - includes CR, LF, NUL
- Format characters (Unicode category Cf) - includes bidirectional markers and zero-width characters
- Line separators (U+2028) and paragraph separators (U+2029)
These characters can break prompt structure, create visual spoofing, or inject new instruction blocks that appear authoritative to the LLM.
Attack Vector
The attack requires local access to create or rename directories in a location where OpenClaw will be executed. An attacker constructs a directory name containing newline sequences followed by attacker-controlled prompt instructions. When a user runs OpenClaw from within this malicious directory, the injected content becomes part of the system prompt, allowing the attacker to:
- Override safety instructions
- Inject new behavioral directives
- Exfiltrate sensitive information through crafted responses
- Manipulate the AI to perform unauthorized actions
The security patch introduces the sanitizeForPromptLiteral function that strips dangerous characters:
/**
* Sanitize untrusted strings before embedding them into an LLM prompt.
*
* Threat model (OC-19): attacker-controlled directory names (or other runtime strings)
* that contain newline/control characters can break prompt structure and inject
* arbitrary instructions.
*
* Strategy (Option 3 hardening):
* - Strip Unicode "control" (Cc) + "format" (Cf) characters (includes CR/LF/NUL, bidi marks, zero-width chars).
* - Strip explicit line/paragraph separators (Zl/Zp): U+2028/U+2029.
*
* Notes:
* - This is intentionally lossy; it trades edge-case path fidelity for prompt integrity.
* - If you need lossless representation, escape instead of stripping.
*/
export function sanitizeForPromptLiteral(value: string): string {
return value.replace(/[\p{Cc}\p{Cf}\\u2028\\u2029]/gu, "");
}
Source: GitHub Commit Details
Detection Methods for CVE-2026-27001
Indicators of Compromise
- Presence of directories with unusual Unicode characters, newlines, or non-printable characters in their names
- OpenClaw log files showing system prompts containing unexpected line breaks or instruction patterns
- AI assistant exhibiting behaviors not aligned with configured system instructions
- Suspicious directory names containing strings like "ignore previous instructions" or similar prompt injection payloads
Detection Strategies
- Implement file system monitoring for directory creation events containing Unicode control characters (categories Cc, Cf) or line separators
- Audit OpenClaw installations for versions prior to 2026.2.15 using package manager queries
- Deploy endpoint detection rules that flag directory names with embedded newline sequences (U+000A, U+000D, U+2028, U+2029)
- Review LLM prompt logs for anomalous multi-line patterns or unexpected instruction blocks
Monitoring Recommendations
- Enable verbose logging in OpenClaw to capture full system prompts for security review
- Monitor for unusual AI assistant responses that deviate from expected behavior patterns
- Implement alerting on directory traversal or creation operations in workspace locations containing control characters
- Conduct periodic audits of directory structures where OpenClaw operates to identify potential injection vectors
How to Mitigate CVE-2026-27001
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.15 or later immediately
- Audit existing workspace directories for suspicious naming patterns containing control characters
- Review AI assistant activity logs for any signs of prompt injection exploitation
- Implement file system restrictions preventing directory names with Unicode control characters in OpenClaw workspace locations
Patch Information
The vulnerability is fully addressed in OpenClaw version 2026.2.15. The fix implements comprehensive sanitization for all runtime strings embedded into LLM prompts. The patch is available through the official release and can be obtained from the GitHub Release v2026.2.15.
For technical details on the security fix, refer to the GitHub Security Advisory GHSA-2qj5-gwg2-xwc4.
Workarounds
- Restrict OpenClaw execution to directories with validated, sanitized names until patching is complete
- Implement operating system-level controls to prevent creation of directories with Unicode control characters
- Deploy application-level sandboxing to limit the impact of compromised AI assistant behavior
- Use read-only file system mounts for workspace directories where possible to prevent attacker directory creation
# Verify OpenClaw version and upgrade if necessary
npm list openclaw
npm update openclaw@2026.2.15
# Scan for suspicious directory names in workspace (Linux/macOS)
find /path/to/workspace -type d -name $'*[\\x00-\\x1f\\x7f]*' -print
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
