DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-JF56-MCCX-5F3F: GHSA-JF56-MCCX-5F3F: Indirect Prompt Injection and Agent Compromise in OpenClaw Webhooks

#security #cve #cybersecurity #ghsa

GHSA-JF56-MCCX-5F3F: Indirect Prompt Injection and Agent Compromise in OpenClaw Webhooks

Vulnerability ID: GHSA-JF56-MCCX-5F3F
CVSS Score: 9.8
Published: 2026-04-09

The OpenClaw AI framework suffers from a critical indirect prompt injection vulnerability within its webhook processing endpoint. The framework fails to segregate untrusted external payload data from authoritative system instructions, allowing authenticated attackers to execute arbitrary commands, bypass safety guardrails, and exfiltrate sensitive data via the underlying Large Language Model (LLM).

TL;DR

A high-severity flaw in OpenClaw's webhook handler allows attackers to perform indirect prompt injection by sending crafted JSON payloads to the /hooks/wake endpoint. This grants full control over the AI agent's actions, leading to remote code execution and data exfiltration.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-94, CWE-116, CWE-502
  • Attack Vector: Network
  • Authentication Required: Yes (Webhook API Key)
  • CVSS Score: 9.8
  • Impact: Remote Code Execution / Agent Compromise
  • Exploit Status: Proof of Concept Available

Affected Systems

  • OpenClaw AI Assistant Framework
  • OpenClaw /hooks/wake Endpoint
  • OpenClaw system-prompt.ts Generator
  • OpenClaw: < 3.5.2 (Fixed in: 3.5.2)

Mitigation Strategies

  • Upgrade OpenClaw framework to version 3.5.2 or newer.
  • Restrict network access to the /hooks/wake endpoint to trusted IP addresses.
  • Disable automated wake processing features if the endpoint must remain exposed.
  • Implement structured prompt encapsulation (e.g., XML delimiters) for all untrusted data handling.

Remediation Steps:

  1. Identify all deployed instances of the OpenClaw framework within the infrastructure.
  2. Verify the current version of the application using package managers or runtime logs.
  3. Update the openclaw dependency to >= v3.5.2 via npm, pip, or the relevant package manager.
  4. Restart the OpenClaw service to ensure the new prompt construction logic is loaded into memory.
  5. Monitor application logs for anomalous LLM tool execution or unauthorized system prompt updates.

References

Read the full report for GHSA-JF56-MCCX-5F3F on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)