GHSA-G27F-9QJV-22PM

Vulnerability from github – Published: 2026-02-17 21:31 – Updated: 2026-02-17 21:31
VLAI?
Summary
OpenClaw log poisoning (indirect prompt injection) via WebSocket headers
Details

Summary

In openclaw versions prior to 2026.2.13, OpenClaw logged certain WebSocket request headers (including Origin and User-Agent) without neutralization or length limits on the "closed before connect" path.

If an unauthenticated client can reach the gateway and send crafted header values, those values may be written into core logs. Under workflows where logs are later read or interpreted by an LLM (for example via AI-assisted debugging), this can increase the risk of indirect prompt injection (log poisoning).

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: <= 2026.2.12
  • Fixed: >= 2026.2.13

Details

  • Component: src/gateway/server/ws-connection.ts
  • Trigger: WebSocket connection closes before completing the connect/handshake; header values are included in the log message and structured context.

Impact

This issue is primarily an indirect prompt injection risk and depends on downstream log consumption behavior. If you do not feed logs into an LLM or other automation, impact is limited.

Fix

Header values written to gateway logs are now sanitized and truncated (including removal of control/format characters and length limiting). - Fix commits: d637a263505448bf4505b85535babbfaacedbaac, e84318e4bcdc948d92e57fda1eb763a65e1774f0 (PR #15592)

Workarounds

  • Upgrade to openclaw@2026.2.13 or later.
  • Treat logs as untrusted input when using AI-assisted debugging (sanitize/escape, and do not auto-execute instructions derived from logs).
  • Restrict gateway network exposure; apply reverse-proxy limits on header size where applicable.

Thanks @pkerkhofs for reporting.

Severity ?
3.1 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T21:31:39Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\nIn `openclaw` versions prior to `2026.2.13`, OpenClaw logged certain WebSocket request headers (including `Origin` and `User-Agent`) without neutralization or length limits on the \"closed before connect\" path.\n\nIf an unauthenticated client can reach the gateway and send crafted header values, those values may be written into core logs. Under workflows where logs are later read or interpreted by an LLM (for example via AI-assisted debugging), this can increase the risk of indirect prompt injection (log poisoning).\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `\u003c= 2026.2.12`\n- Fixed: `\u003e= 2026.2.13`\n\n### Details\n- Component: `src/gateway/server/ws-connection.ts`\n- Trigger: WebSocket connection closes before completing the connect/handshake; header values are included in the log message and structured context.\n\n### Impact\nThis issue is primarily an indirect prompt injection risk and depends on downstream log consumption behavior. If you do not feed logs into an LLM or other automation, impact is limited.\n\n### Fix\nHeader values written to gateway logs are now sanitized and truncated (including removal of control/format characters and length limiting).\n- Fix commits: `d637a263505448bf4505b85535babbfaacedbaac`, `e84318e4bcdc948d92e57fda1eb763a65e1774f0` (PR #15592)\n\n### Workarounds\n- Upgrade to `openclaw@2026.2.13` or later.\n- Treat logs as untrusted input when using AI-assisted debugging (sanitize/escape, and do not auto-execute instructions derived from logs).\n- Restrict gateway network exposure; apply reverse-proxy limits on header size where applicable.\n\nThanks @pkerkhofs for reporting.",
  "id": "GHSA-g27f-9qjv-22pm",
  "modified": "2026-02-17T21:31:39Z",
  "published": "2026-02-17T21:31:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g27f-9qjv-22pm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/pull/15592"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/d637a263505448bf4505b85535babbfaacedbaac"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw log poisoning (indirect prompt injection) via WebSocket headers"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.