CVE-2026-25593 is a high-severity vulnerability in OpenClaw, a personal AI assistant. The issue arises from an unauthenticated local client being able to exploit the Gateway WebSocket API, specifically using the config.apply function to write configuration settings. This vulnerability allows unsafe cliPath values to be set, which can later be leveraged for command discovery and command injection as the gateway user. The vulnerability is addressed in version 2026.1.20.
With a CVSS score of 8.4, this vulnerability is classified as high severity, indicating significant risk for organizations utilizing OpenClaw. The potential for command injection and unauthorized command execution poses a serious threat, especially given the local attack vector and low complexity required to exploit it.
Risk to organizations includes unauthorized access to sensitive commands and data exposure, underscoring the urgency for defenders to prioritize patching this vulnerability immediately.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)