CVE-2026-35651

MEDIUM

OpenClaw 2026.2.13 < 2026.3.25 - ANSI Escape Sequence Injection in Approval Prompt

Title source: cna

Description

OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can carry ANSI control sequences into approval prompts and permission logs, enabling attackers to manipulate displayed information through malicious tool titles.

References (3)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-4hmj-39m8-jwc7

[Patch] https://github.com/openclaw/openclaw/commit/464e2c10a5edceb380d815adb6ff56e1a4c50f60

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-ansi-escape-sequence-injection-in-approval-prompt

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 8.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

CWE

CWE-150

Status published

Products (4)

npm/openclaw 2026.2.13 - 2026.3.28npm

OpenClaw/OpenClaw 2026.2.13 - 2026.3.24

openclaw/openclaw 2026.2.13 - 2026.3.25

OpenClaw/OpenClaw 2026.3.25

Published Apr 10, 2026

Tracked Since Apr 10, 2026