CVE-2026-32040

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.23

Description OpenClaw versions prior to 2026.2.23 contain an HTML injection issue in the HTML session exporter. This allows attackers to execute arbitrary JavaScript by injecting malicious mimeType values in image content blocks. Attackers can craft session entries with specially designed mimeType attributes that escape the img src data-URL context, leading to cross-site scripting (XSS) when the exported HTML is opened. The issue resides in the src/auto-reply/reply/export-html/template.js file, specifically at lines 1032 and 1306, where the img.mimeType is interpolated directly into <img src="data:..."> attributes without proper validation or escaping. A crafted mimeType value, such as x" onerror="alert(1)", can break out of the attribute context and execute arbitrary JavaScript. The vulnerability requires the attacker to control image entries in session data.

Recommendations Versions prior to 2026.2.23 are affected. Update to version 2026.2.23 or later, which includes a sanitizeImageMimeType() helper function that validates mimeType against a whitelist of known image MIME types and falls back to application/octet-stream for unrecognized values, preventing attribute breakout.