CVE-2026-27524

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.21

Description OpenClaw versions prior to 2026.2.21 are susceptible to prototype pollution attacks due to accepting prototype-reserved keys in runtime /debug set override object values. Authorized /debug set callers can inject keys such as proto, constructor, or prototype to manipulate object prototypes and bypass command gate restrictions. The /debug functionality is disabled by default, and exploitation requires prior authorization. This issue affects runtime in-memory overrides only, which are not persistent and are cleared upon restart or reset. The API endpoint involved is /debug set. Vulnerable parameters include the override object values. Command gates like bash, config, and debug previously relied on inherited prototype values, which has been addressed by requiring own-property boolean flags.

Recommendations Update OpenClaw to version 2026.2.21 or later.