GHSA-37gc-85xm-2ww6
MEDIUMOpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
openclawnpmDescription
Summary
Stored XSS in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline <script> tag without script-context-safe escaping. A crafted value containing </script> could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.14 - Fixed in:
>= 2026.2.15(next release; fix is already merged onmain)
Details
The gateway Control UI HTML response previously injected assistantName and assistantAvatar directly into an inline <script> block using JSON.stringify(...). JSON.stringify does not prevent </script> from terminating the script element, enabling stored XSS if an operator/admin sets the assistant identity to a malicious string.
OpenClaw’s Control UI is intended for local use only (see SECURITY.md); this advisory’s CVSS reflects a loopback-only/local-access deployment assumption.
Impact
An attacker with the ability to set assistant identity values (config or agent identity) could cause JavaScript execution for Control UI visitors, enabling token/session theft and privileged actions in the UI.
Fix
- Removed inline script injection and serve bootstrap config from a JSON endpoint.
- Added a restrictive Content Security Policy for the Control UI (
script-src 'self', no inline scripts).
Fix Commit(s)
adc818db4a4b3b8d663e7674ef20436947514e1b3b4096e02e7e335f99f5986ec1bd566e90b14a7e
Release Process Note
This advisory pre-sets the patched version to the planned next release (2026.2.15). Once that version is published to npm, this advisory can be published without further edits.
Thanks @Adam55A-code for reporting.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | openclaw | all versions | 2026.2.15 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for openclaw. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update openclaw to 2026.2.15 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-37gc-85xm-2ww6 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-37gc-85xm-2ww6 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-37gc-85xm-2ww6. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-37gc-85xm-2ww6 in your dependencies?
O3 detects GHSA-37gc-85xm-2ww6 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.