CVE-2026-27524

Published: Mar 18, 2026 Last Modified: Mar 18, 2026

ExploitDB:

Other exploit source:

Google Dorks:

LOW 2,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

LOW 3,1

Source: [email protected]

Attack Vector: network

Attack Complexity: high

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: low

Availability: none

Description

AI Translation Available

OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override object values, allowing prototype pollution attacks. Authorized /debug set callers can inject __proto__, constructor, or prototype keys to manipulate object prototypes and bypass command gate restrictions.

1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Incomplete

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability

Potential Impacts:

Read Application Data Modify Application Data Dos: Crash, Exit, Or Restart

Applicable Platforms

Languages: JavaScript

View CWE Details

https://github.com/openclaw/openclaw/commit/fbb79d401300055…

https://github.com/openclaw/openclaw/commit/fbb79d4013000552d6a2c23b9613d8b3cb9…

https://github.com/openclaw/openclaw/security/advisories/GH…

https://github.com/openclaw/openclaw/security/advisories/GHSA-62f6-mrcj-v8h5

https://www.vulncheck.com/advisories/openclaw-prototype-pol…

https://www.vulncheck.com/advisories/openclaw-prototype-pollution-via-debug-ove…

CVE-2026-27524

Description

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Common Consequences

Applicable Platforms

Iscriviti alla newsletter