OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20.
PUBLISHED5.2CWE-78CWE-306
OpenClaw Affected by Unauthenticated Local RCE via WebSocket config.apply
Problem type
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- CWE-306: Missing Authentication for Critical Function
Affected products
openclaw
openclaw
< 2026.1.20 - AFFECTED
References
GitHub Security Advisories
GHSA-g55j-c2v4-pjcg
OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply
https://github.com/advisories/GHSA-g55j-c2v4-pjcgSummary
An unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user.
Impact
A local process on the same machine could execute arbitrary commands as the gateway process user.
Details
config.applyaccepted raw JSON and wrote it to disk after schema validation.cliPathvalues were not constrained to safe executable names/paths.- Command discovery used a shell invocation when resolving executables.
Mitigation
Upgrade to a patched release. If projects cannot upgrade immediately, set gateway.auth and avoid custom cliPath values.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-25593Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-25593",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-02-06T20:56:02.824Z",
"dateReserved": "2026-02-03T01:02:46.716Z",
"datePublished": "2026-02-06T20:56:02.824Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-02-06T20:56:02.824Z"
},
"title": "OpenClaw Affected by Unauthenticated Local RCE via WebSocket config.apply",
"descriptions": [
{
"lang": "en",
"value": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20."
}
],
"affected": [
{
"vendor": "openclaw",
"product": "openclaw",
"versions": [
{
"version": "< 2026.1.20",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
"cweId": "CWE-78",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "CWE-306: Missing Authentication for Critical Function",
"cweId": "CWE-306",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg",
"name": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg",
"tags": [
"x_refsource_CONFIRM"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH"
}
}
]
}
}
}