AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-2qj5-gwg2-xwc4: OpenClaw: Unsanitized CWD path injection into LLM prompts

highvulnerabilityLLM-Specific

security

Source: GitHub Advisory DatabaseFebruary 18, 2026CVE-2026-27001

Summary

OpenClaw, an AI agent tool, had a vulnerability where the current working directory (the folder path where the software is running) was inserted into the AI's instructions without cleaning it first. An attacker could use special characters in folder names, like line breaks or hidden Unicode characters, to break the instruction structure and inject malicious commands, potentially causing the AI to misuse its tools or leak sensitive information.

Solution / Mitigation

Update to OpenClaw version 2026.2.15 or later. The fix sanitizes the workspace path by stripping Unicode control/format characters and explicit line/paragraph separators before embedding it into any LLM prompt output, and applies the same sanitization during workspace path resolution as an additional defensive measure.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack Type

Prompt Injection

Attack SophisticationTrivial

Impact (CIA+S)

integrityconfidentiality

Affected Vendors

Affected Packages

openclaw@< 2026.2.15 (fixed: 2026.2.15)

Related Issues

high

AI Kill Chain in Action: Devin AI Exposes Ports to the Internet with Prompt Injection

Similar attackEmbrace The Red

medium

CVE-2024-45989: Monica AI Assistant desktop application v2.3.0 is vulnerable to Exposure of Sensitive Information to an Unauthorized Act

First tracked: February 18, 2026 at 07:00 PM

Classified by LLM (prompt v3) · confidence: 95%