CVE-2026-25593: OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply

February 4, 2026 (updated February 6, 2026)

An unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user.

References

github.com/advisories/GHSA-g55j-c2v4-pjcg
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg
nvd.nist.gov/vuln/detail/CVE-2026-25593

Code Behaviors & Features

Detect and mitigate CVE-2026-25593 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →