OpenClaw message-object prompt injection patched in 2026.4.23 security flaw
Vulnerability
Summary
Hide ▲
Show ▼
OpenClaw has a patched message-object prompt injection flaw that let hidden instructions inside shared contacts, vCards, and location pins reach the LLM as trusted prompt text, creating code-execution and secret-leakage risk for self-hosted agents. Imperva showed the agent flattening those objects inline with no untrusted boundary, so attacker text could blend into ordinary-looking input. OpenClaw 2026.4.23 fixes the issue by moving contact names, vCard fields, and location labels into a separate untrusted-metadata channel. Systems that have not updated remain exposed whenever they ingest untrusted message content.
Related Happenings
OpenClaw outbound-mail approval gates and trust-scoped connector controls
Defensive Guidance
H score11
First: 11.06.2026 20:46
Last: 11.06.2026 20:46
Sources 1
How related:
Outbound mail needs a gate: no first-time sends to unfamiliar addresses without approval, so a hijacked agent cannot relay phishing from a trusted account.
About this happening:
OpenClaw operators are adding **outbound-mail approval gates**, **trust-scoped connector access**, and **human approval** for risky actions to reduce **agent phishing** and unauth...
OpenClaw outbound-mail approval gates and trust-scoped connector controls
Defensive GuidanceHow related: Outbound mail needs a gate: no first-time sends to unfamiliar addresses without approval, so a hijacked agent cannot relay phishing from a trusted account.
About this happening: OpenClaw operators are adding **outbound-mail approval gates**, **trust-scoped connector access**, and **human approval** for risky actions to reduce **agent phishing** and unauth...
OpenClaw/OpenShell managed sandbox backend Claw Chain (multiple vulnerabilities)
Vulnerability
H score31
First: 15.05.2026 16:35
Last: 15.05.2026 16:35
Sources 1
About this happening:
Researchers disclosed **four OpenClaw flaws** in the **OpenShell managed sandbox backend** that can be chained for **data theft**, **privilege escalation**, and **persistence**. T...
OpenClaw/OpenShell managed sandbox backend Claw Chain (multiple vulnerabilities)
VulnerabilityAbout this happening: Researchers disclosed **four OpenClaw flaws** in the **OpenShell managed sandbox backend** that can be chained for **data theft**, **privilege escalation**, and **persistence**. T...
ChatGPT single-prompt DNS side-channel exfiltration remote code execution flaw
Vulnerability
H score36
First: 31.03.2026 16:01
Last: 31.03.2026 16:01
Sources 1
About this happening:
A **ChatGPT** vulnerability let a **single malicious prompt** covertly exfiltrate prompts, messages, uploaded files, and other sensitive content through a **DNS side channel**. Th...
ChatGPT single-prompt DNS side-channel exfiltration remote code execution flaw
VulnerabilityAbout this happening: A **ChatGPT** vulnerability let a **single malicious prompt** covertly exfiltrate prompts, messages, uploaded files, and other sensitive content through a **DNS side channel**. Th...
OpenClaw hardening guidance (CNCERT)
Advisory/Mitigation
H score26
First: 14.03.2026 18:17
Last: 14.03.2026 18:17
Sources 1
About this happening:
China's **CNCERT** issued mitigation guidance for **OpenClaw**, warning that weak defaults and privileged access could let attackers seize endpoints, leak data, or trigger destruc...
OpenClaw hardening guidance (CNCERT)
Advisory/MitigationAbout this happening: China's **CNCERT** issued mitigation guidance for **OpenClaw**, warning that weak defaults and privileged access could let attackers seize endpoints, leak data, or trigger destruc...
Cline AI coding assistant hit by network compromise
Incident
H score14
First: 09.03.2026 01:35
Last: 09.03.2026 01:35
Sources 1
About this happening:
The **Cline** coding assistant suffered a **supply-chain compromise** that installed a rogue **OpenClaw** instance on **thousands of systems**, creating unauthorized **full system...
Cline AI coding assistant hit by network compromise
IncidentAbout this happening: The **Cline** coding assistant suffered a **supply-chain compromise** that installed a rogue **OpenClaw** instance on **thousands of systems**, creating unauthorized **full system...
Timeline
-
11.06.2026 20:46 2 articles · 2h ago
OpenClaw flaws let hidden instructions run code and phishing emails leak secrets
Initial DisclosureImperva and Varonis Threat Labs disclosed separate findings showing that OpenClaw can be manipulated through ordinary-looking inputs. Imperva demonstrated that hidden instructions embedded in shared contacts, vCards, and location pins could be flattened into prompt text and made the agent download and run a script, while Varonis showed that a Pinchy agent could be tricked by a believable email into forwarding mock AWS IAM access keys, database connection strings, SSH credentials, and a synthetic customer export.
Show sources
- New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets — thehackernews.com — 11.06.2026 20:46
- New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets — thehackernews.com — 11.06.2026 20:46