{"id":"GHSA-37gc-85xm-2ww6","summary":"OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection","details":"## Summary\nStored XSS in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `\u003cscript\u003e` tag without script-context-safe escaping. A crafted value containing `\u003c/script\u003e` could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.2.14`\n- Fixed in: `\u003e= 2026.2.15` (next release; fix is already merged on `main`)\n\n## Details\nThe gateway Control UI HTML response previously injected `assistantName` and `assistantAvatar` directly into an inline `\u003cscript\u003e` block using `JSON.stringify(...)`. `JSON.stringify` does not prevent `\u003c/script\u003e` from terminating the script element, enabling stored XSS if an operator/admin sets the assistant identity to a malicious string.\n\nOpenClaw’s Control UI is intended for local use only (see `SECURITY.md`); this advisory’s CVSS reflects a loopback-only/local-access deployment assumption.\n\n## Impact\nAn attacker with the ability to set assistant identity values (config or agent identity) could cause JavaScript execution for Control UI visitors, enabling token/session theft and privileged actions in the UI.\n\n## Fix\n- Removed inline script injection and serve bootstrap config from a JSON endpoint.\n- Added a restrictive Content Security Policy for the Control UI (`script-src 'self'`, no inline scripts).\n\n## Fix Commit(s)\n- `adc818db4a4b3b8d663e7674ef20436947514e1b`\n- `3b4096e02e7e335f99f5986ec1bd566e90b14a7e`\n\n## Release Process Note\nThis advisory pre-sets the patched version to the planned next release (`2026.2.15`). Once that version is published to npm, this advisory can be published without further edits.\n\nThanks @Adam55A-code for reporting.","aliases":["CVE-2026-27009"],"modified":"2026-02-20T17:02:59.385901Z","published":"2026-02-18T22:44:33Z","database_specific":{"nvd_published_at":"2026-02-20T00:16:17Z","cwe_ids":["CWE-79"],"github_reviewed":true,"github_reviewed_at":"2026-02-18T22:44:33Z","severity":"MODERATE"},"references":[{"type":"WEB","url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-37gc-85xm-2ww6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27009"},{"type":"WEB","url":"https://github.com/openclaw/openclaw/commit/3b4096e02e7e335f99f5986ec1bd566e90b14a7e"},{"type":"WEB","url":"https://github.com/openclaw/openclaw/commit/adc818db4a4b3b8d663e7674ef20436947514e1b"},{"type":"PACKAGE","url":"https://github.com/openclaw/openclaw"},{"type":"WEB","url":"https://github.com/openclaw/openclaw/releases/tag/v2026.2.15"}],"affected":[{"package":{"name":"openclaw","ecosystem":"npm","purl":"pkg:npm/openclaw"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2026.2.15"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-37gc-85xm-2ww6/GHSA-37gc-85xm-2ww6.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"}]}