Vulnerability in Openclaw
CVE-2026-35651
OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can carry ANSI control sequences into approva…
EPSS: 0.000 (10.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 4.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N.
Affected products
- Openclaw — versions 2026.2.13, 2026.3.25
Weakness classification (CWE)
References
- GitHub Security Advisory (GHSA-4hmj-39m8-jwc7) (third-party-advisory)
- Patch Commit (patch)
- VulnCheck Advisory: OpenClaw 2026.2.13 < 2026.3.25 - ANSI Escape Sequence Injection in Approval Prompt (third-party-advisory)
Frequently asked questions
- What is CVE-2026-35651?
- CVE-2026-35651 is a medium-severity vulnerability in Openclaw, classified under CWE-150. CVSS score: 4.3/10. Published 2026-04-10.
- How severe is CVE-2026-35651?
- Medium severity. CVSS v3 base score is 4.3 out of 10.