CVE-2026-27009 Overview
CVE-2026-27009 is a stored Cross-Site Scripting (XSS) vulnerability in OpenClaw, a personal AI assistant application. The vulnerability exists in the OpenClaw Control UI when rendering assistant identity information (name/avatar) into an inline <script> tag without proper script-context-safe escaping. An attacker can craft a malicious value containing </script> to break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin.
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the OpenClaw Control UI, potentially leading to session hijacking, data theft, or unauthorized actions on behalf of authenticated users.
Affected Products
- OpenClaw versions prior to 2026.2.15
- OpenClaw for Node.js environments
- OpenClaw Control UI component
Discovery Timeline
- 2026-02-20 - CVE-2026-27009 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-27009
Vulnerability Analysis
This stored XSS vulnerability arises from improper handling of user-controlled data within the OpenClaw Control UI. The application renders assistant identity information—specifically the assistant's name and avatar—directly into an inline <script> tag without applying script-context-safe escaping. When a user configures an assistant with a specially crafted identity value containing </script>, the malicious payload breaks out of the intended script context and enables arbitrary JavaScript execution.
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The attack requires local access with high privileges and user interaction to execute, but can result in complete compromise of confidentiality and integrity within the affected application context.
Root Cause
The root cause is insufficient output encoding when injecting dynamic content into an inline JavaScript context. The Control UI bootstrap configuration was being embedded directly into HTML via inline script tags, and the assistant identity fields were not properly escaped for the JavaScript string context. This allowed special characters like </script> to prematurely terminate the script block and inject arbitrary HTML/JavaScript.
Attack Vector
The attack vector requires an authenticated user with administrative privileges to configure a malicious assistant identity. The attacker crafts a payload such as </script><script>alert('XSS')</script> in the assistant name or avatar field. When the Control UI renders this value within its inline script tag, the </script> sequence terminates the legitimate script block, allowing the subsequent attacker-controlled script to execute.
// Security patch in ui/src/ui/app-lifecycle.ts - fix(ui): load Control UI bootstrap config via JSON endpoint
syncTabWithLocation,
syncThemeWithSettings,
} from "./app-settings.ts";
+import { loadControlUiBootstrapConfig } from "./controllers/control-ui-bootstrap.ts";
type LifecycleHost = {
basePath: string;
tab: Tab;
+ assistantName: string;
+ assistantAvatar: string | null;
+ assistantAgentId: string | null;
chatHasAutoScrolled: boolean;
chatManualRefreshInFlight: boolean;
chatLoading: boolean;
Source: GitHub Commit 3b4096e
// Security patch in ui/src/ui/app.ts - fix(ui): load Control UI bootstrap config via JSON endpoint
type ToolStreamEntry,
type CompactionStatus,
} from "./app-tool-stream.ts";
-import { resolveInjectedAssistantIdentity } from "./assistant-identity.ts";
+import { normalizeAssistantIdentity } from "./assistant-identity.ts";
import { loadAssistantIdentity as loadAssistantIdentityInternal } from "./controllers/assistant-identity.ts";
import { loadSettings, type UiSettings } from "./storage.ts";
import { type ChatAttachment, type ChatQueueItem, type CronFormState } from "./ui-types.ts";
Source: GitHub Commit 3b4096e
Detection Methods for CVE-2026-27009
Indicators of Compromise
- Presence of assistant identity values containing </script> sequences or HTML tags
- Unexpected JavaScript execution events in the Control UI
- Modified assistant configuration entries with suspicious payloads in name or avatar fields
- Browser console errors indicating script parsing issues in the Control UI
Detection Strategies
- Monitor and audit assistant identity configuration changes for malicious patterns
- Implement Content Security Policy (CSP) violation logging to detect inline script injection attempts
- Review web server access logs for unusual POST requests to assistant identity configuration endpoints
- Deploy web application firewalls (WAF) with XSS detection rules targeting script-breaking payloads
Monitoring Recommendations
- Enable CSP reporting to capture policy violations in the Control UI origin
- Implement real-time alerting for configuration changes to assistant identity fields
- Monitor for anomalous user session behavior that may indicate session hijacking post-exploitation
- Review browser-side telemetry for unexpected script execution patterns
How to Mitigate CVE-2026-27009
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.15 or later immediately
- Audit existing assistant configurations for potentially malicious identity values
- Review user sessions and authentication tokens for signs of compromise
- Implement a restrictive Content Security Policy if not already in place
Patch Information
Version 2026.2.15 addresses this vulnerability through two key security improvements. The patch removes inline script injection entirely and instead serves bootstrap configuration from a dedicated JSON endpoint. Additionally, a restrictive Content Security Policy has been implemented for the Control UI that enforces script-src 'self' and disallows inline scripts.
For detailed patch information, refer to:
Workarounds
- Deploy a Content Security Policy header with script-src 'self' to block inline script execution
- Implement server-side input validation to reject assistant identity values containing script-breaking sequences
- Restrict administrative access to trusted users only until the patch can be applied
- Consider temporarily disabling custom assistant identity configuration if upgrading is not immediately possible
# Configuration example - Add CSP header to web server (nginx example)
add_header Content-Security-Policy "script-src 'self'; object-src 'none';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
