CVE-2026-35651: OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompt
mediumvulnerability
security
Summary
OpenClaw versions 2026.2.13 through 2026.3.24 have an ANSI escape sequence injection vulnerability (a bug where attackers can sneak special terminal control codes into the system) in approval prompts that allows attackers to trick the terminal display by manipulating tool metadata. This means an attacker could use malicious tool names containing these control sequences to make false information appear in approval prompts and permission logs.
Vulnerability Details
CVSS Score
4.3(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
network
Attack Complexity
low
Privileges Required
none
User Interaction
required
Disclosure Date
April 10, 2026
Classification
Attack Type
Prompt Injection
Attack SophisticationTrivial
Impact (CIA+S)
integrity
AI Component TargetedAgent
Affected Vendors
OpenAI
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-35651
First tracked: April 10, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 75%