GHSA-7Q2J-C4Q5-RM27

Vulnerability from github – Published: 2026-02-17 21:41 – Updated: 2026-02-17 21:41
VLAI?
Summary
OpenClaw macOS deep link confirmation truncation can conceal executed agent message
Details

Summary

OpenClaw macOS desktop client registers the openclaw:// URL scheme. For openclaw://agent deep links without an unattended key, the app shows a confirmation dialog that previously displayed only the first 240 characters of the message, but executed the full message after the user clicked "Run".

At the time of writing, the OpenClaw macOS desktop client is still in beta.

An attacker could pad the message with whitespace to push a malicious payload outside the visible preview, increasing the chance a user approves a different message than the one that is actually executed.

Impact

If a user runs the deep link, the agent may perform actions that can lead to arbitrary command execution depending on the user's configured tool approvals/allowlists. This is a social-engineering mediated vulnerability: the confirmation prompt could be made to misrepresent the executed message.

Affected Versions

  • OpenClaw macOS desktop client versions >= 2026.2.6 and <= 2026.2.13.

Fixed Versions

  • 2026.2.14.

Mitigations

  • Do not approve unexpected "Run OpenClaw agent?" prompts triggered while browsing untrusted sites.
  • Use unattended deep links only with a valid key for trusted personal automations.

Resolution

Unkeyed deep links now enforce a strict message length limit for confirmation and ignore delivery/routing knobs (deliver, to, channel) unless a valid unattended key is provided.

Fix commit: 28d9dd7a772501ccc3f71457b4adfee79084fe6f

Fix commit 28d9dd7a772501ccc3f71457b4adfee79084fe6f confirmed on main and in v2026.2.14. Upgrade to openclaw >= 2026.2.14.

Severity ?
7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2026.2.6-0"
            },
            {
              "fixed": "2026.2.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-451"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T21:41:40Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nOpenClaw macOS desktop client registers the `openclaw://` URL scheme. For `openclaw://agent` deep links without an unattended `key`, the app shows a confirmation dialog that previously displayed only the first 240 characters of the message, but executed the full message after the user clicked \"Run\".\n\nAt the time of writing, the OpenClaw macOS desktop client is still in beta.\n\nAn attacker could pad the message with whitespace to push a malicious payload outside the visible preview, increasing the chance a user approves a different message than the one that is actually executed.\n\n### Impact\nIf a user runs the deep link, the agent may perform actions that can lead to arbitrary command execution depending on the user\u0027s configured tool approvals/allowlists. This is a social-engineering mediated vulnerability: the confirmation prompt could be made to misrepresent the executed message.\n\n## Affected Versions\n- OpenClaw macOS desktop client versions \u003e= 2026.2.6 and \u003c= 2026.2.13.\n\n## Fixed Versions\n- 2026.2.14.\n\n### Mitigations\n- Do not approve unexpected \"Run OpenClaw agent?\" prompts triggered while browsing untrusted sites.\n- Use unattended deep links only with a valid `key` for trusted personal automations.\n\n### Resolution\nUnkeyed deep links now enforce a strict message length limit for confirmation and ignore delivery/routing knobs (`deliver`, `to`, `channel`) unless a valid unattended `key` is provided.\n\nFix commit: 28d9dd7a772501ccc3f71457b4adfee79084fe6f\n\n---\n\nFix commit 28d9dd7a772501ccc3f71457b4adfee79084fe6f confirmed on main and in v2026.2.14. Upgrade to `openclaw \u003e= 2026.2.14`.",
  "id": "GHSA-7q2j-c4q5-rm27",
  "modified": "2026-02-17T21:41:40Z",
  "published": "2026-02-17T21:41:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7q2j-c4q5-rm27"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/28d9dd7a772501ccc3f71457b4adfee79084fe6f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw macOS deep link confirmation truncation can conceal executed agent message"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.