CVE-2026-35651 Overview
CVE-2026-35651 is an ANSI escape sequence injection vulnerability affecting OpenClaw versions 2026.2.13 through 2026.3.24. This vulnerability allows attackers to spoof terminal output by injecting malicious ANSI control sequences through untrusted tool metadata. When exploited, attackers can manipulate the displayed information in approval prompts and permission logs, potentially deceiving users into approving malicious actions.
Critical Impact
Attackers can manipulate terminal output in approval prompts through malicious tool titles, potentially tricking users into approving unintended operations or obscuring malicious activity in permission logs.
Affected Products
- OpenClaw versions 2026.2.13 through 2026.3.24
- OpenClaw for Node.js
Discovery Timeline
- 2026-04-10 - CVE-2026-35651 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-35651
Vulnerability Analysis
This vulnerability stems from improper handling of ANSI escape sequences in user-facing terminal prompts within OpenClaw. When the application processes tool metadata that contains untrusted input, it fails to sanitize or strip ANSI control characters before rendering the content in terminal-based approval prompts. This allows an attacker who controls tool metadata—such as tool titles—to inject escape sequences that manipulate the visual presentation of terminal output.
The attack surface is network-accessible and requires user interaction (the victim must view or interact with the manipulated prompt). While the vulnerability does not directly compromise confidentiality or availability, it enables integrity violations by allowing attackers to misrepresent information displayed to users.
Root Cause
The root cause is classified under CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences). The application accepts tool metadata containing ANSI escape codes without proper sanitization. When this metadata is rendered in terminal approval prompts or permission logs, the escape sequences are interpreted by the terminal emulator, allowing attackers to:
- Overwrite or hide existing terminal content
- Change text colors to obscure warnings
- Move the cursor to manipulate output positioning
- Create convincing but fraudulent approval prompts
Attack Vector
The attack is conducted over the network by an attacker who can supply malicious tool metadata to the OpenClaw application. The exploitation flow involves:
- An attacker crafts a malicious tool title containing ANSI escape sequences (e.g., cursor movement codes, text color changes, or line clearing sequences)
- The victim's OpenClaw instance processes this tool metadata
- When an approval prompt is displayed, the ANSI codes execute in the terminal
- The terminal output is manipulated to display misleading information, potentially causing the user to approve an action they did not intend
The vulnerability requires user interaction—the victim must view the manipulated terminal output. However, no special privileges are required by the attacker to inject the malicious sequences.
Detection Methods for CVE-2026-35651
Indicators of Compromise
- Unusual ANSI escape sequences (e.g., \\x1b[, \033[) appearing in tool metadata or log files
- Tool titles or descriptions containing non-printable control characters
- User reports of unexpected terminal behavior during approval prompts
- Permission logs showing evidence of cursor manipulation or text overwriting
Detection Strategies
- Implement input validation that flags or blocks ANSI escape sequences in tool metadata fields
- Deploy log analysis rules to detect control characters in approval-related log entries
- Monitor for unusual patterns in tool registration that include escape sequence byte patterns
- Enable terminal logging to capture raw output for forensic analysis
Monitoring Recommendations
- Configure SIEM rules to alert on escape sequence patterns (\\\x1b\\[, \\033\\[) in application logs
- Implement application-level logging that records raw bytes before terminal rendering
- Review tool metadata submissions for suspicious character sequences during security audits
How to Mitigate CVE-2026-35651
Immediate Actions Required
- Upgrade OpenClaw to a version newer than 2026.3.24 that includes the security fix
- Review any tool metadata in your environment for suspicious ANSI escape sequences
- Consider implementing terminal output sanitization at the application or wrapper level as a defense-in-depth measure
Patch Information
The OpenClaw maintainers have addressed this vulnerability in commit 464e2c10a5edceb380d815adb6ff56e1a4c50f60. For complete details, refer to the GitHub Security Advisory GHSA-4hmj-39m8-jwc7. Additional technical information is available in the VulnCheck Advisory.
Workarounds
- Strip ANSI escape sequences from tool metadata at the application boundary before processing
- Use terminal emulators that provide escape sequence filtering or sandboxing capabilities
- Implement a wrapper script that sanitizes output before rendering approval prompts
- Restrict tool registration to trusted sources to limit exposure to malicious metadata
# Example: Strip ANSI escape sequences from tool metadata
# This can be used as a temporary mitigation
sed 's/\\x1b\[[0-9;]*[a-zA-Z]//g' tool_metadata.json > sanitized_metadata.json
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
