CVE-2026-25593

HIGH

Openclaw < 2026.1.20 - Missing Authentication

Title source: rule

Description

OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20.

References (1)

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg

Scores

CVSS v3 8.4

EPSS 0.0002

EPSS Percentile 6.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78 CWE-306

Status published

Products (2)

npm/openclaw 0 - 2026.1.20npm

openclaw/openclaw < 2026.1.20

Published Feb 06, 2026

Tracked Since Feb 18, 2026