Low severityNVD Advisory· Published Mar 18, 2026· Updated Mar 25, 2026
OpenClaw < 2026.2.21 - Prototype Pollution via Debug Override Path
CVE-2026-27524
Description
OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override object values, allowing prototype pollution attacks. Authorized /debug set callers can inject __proto__, constructor, or prototype keys to manipulate object prototypes and bypass command gate restrictions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.2.21 | 2026.2.21 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/openclaw/openclaw/commit/fbb79d4013000552d6a2c23b9613d8b3cb92f6b6ghsapatchWEB
- github.com/advisories/GHSA-62f6-mrcj-v8h5ghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-62f6-mrcj-v8h5ghsathird-party-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-27524ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-prototype-pollution-via-debug-override-pathghsathird-party-advisoryWEB
News mentions
0No linked articles in our index yet.