CVE-2026-35651
MEDIUMOpenClaw 2026.2.13 < 2026.3.25 - ANSI Escape Sequence Injection in Approval Prompt
Title source: cnaDescription
OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can carry ANSI control sequences into approval prompts and permission logs, enabling attackers to manipulate displayed information through malicious tool titles.
References (3)
Core 3
Core References
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw 2026.2.13 < 2026.3.25 - ANSI Escape Sequence Injection in Approval Prompt
https://www.vulncheck.com/advisories/openclaw-ansi-escape-sequence-injection-in-approval-prompt
Third Party Advisory third-party-advisory
GitHub Security Advisory (GHSA-4hmj-39m8-jwc7)
https://github.com/openclaw/openclaw/security/advisories/GHSA-4hmj-39m8-jwc7
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/464e2c10a5edceb380d815adb6ff56e1a4c50f60
Scores
CVSS v3
4.3
EPSS
0.0026
EPSS Percentile
17.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-150
Status
published
Products (4)
npm/openclaw
2026.2.13 - 2026.3.28npm
OpenClaw/OpenClaw
2026.2.13 - 2026.3.24
openclaw/openclaw
2026.2.13 - 2026.3.25
OpenClaw/OpenClaw
2026.3.25
Published
Apr 10, 2026
Tracked Since
Apr 10, 2026