AI Threat Alert AI Threat Alert

CVE-2026-30741: OpenClaw: RCE via request-side prompt injection

CRITICAL PoC AVAILABLE
Published March 11, 2026
CISO Take

CVE-2026-30741 is a critical remote code execution flaw (CVSS 9.8) in OpenClaw Agent Platform v2026.2.6, exploitable by any unauthenticated remote attacker through a crafted prompt injection in the request path — no privileges, no user interaction required. A working PoC is publicly available on GitHub alongside a Bilibili exploitation walkthrough, placing this firmly in script-kiddie territory and making mass exploitation a near-term certainty. OpenClaw is already the 11th CVE in this package, and the AI Incident Database records an active threat actor campaign abusing the platform to deliver credential-stealing malware — indicating this ecosystem is actively targeted. Take all internet-exposed OpenClaw instances offline immediately or firewall them to trusted sources only, rotate all credentials accessible to the agent runtime, and monitor for anomalous child process spawning from the agent process.

Sources: NVD ATLAS GitHub Advisory

Risk Assessment

Risk is critical. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N means any network-reachable OpenClaw deployment is trivially exploitable with zero setup cost. Public PoC plus a video walkthrough eliminate the skills barrier entirely. While not yet in CISA KEV, the combination of full CIA triad impact, network attack vector, low complexity, and available exploit code makes active widespread exploitation highly probable in days, not weeks. The AI agent category amplifies blast radius — compromised agent platforms typically hold LLM API keys, RAG database credentials, internal service tokens, and broad tool access.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw pip No patch
openclaw pip No patch
openclaw pip No patch
openclaw pip No patch

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
N/A
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

  1. Patch to the latest fixed version of OpenClaw Agent Platform as soon as it is available.
  2. If no patch exists, immediately restrict network access — firewall affected instances to trusted IP ranges only or take offline.
  3. Audit agent tool permissions and enforce least-privilege; disable code execution, shell, or file system tools unless strictly required.
  4. Rotate all credentials and API keys in the agent's environment variables and configuration files.
  5. Enable process monitoring and alert on child processes spawned by the agent runtime (e.g., bash, sh, cmd, powershell).
  6. Deploy input validation or a WAF upstream to block known prompt injection patterns.
  7. Review audit logs for requests containing instruction-override sequences or system prompt bypass patterns coinciding with the publication date (2026-03-11 onward).

Classification

Prompt Injection Code Execution Agent Framework AML.T0049 AML.T0051 AML.T0051.000 AML.T0053 AML.T0112

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - AI system security controls
NIST AI RMF
MANAGE-2.2 - Mechanisms to maintain AI system security and resilience
OWASP LLM Top 10
LLM01:2025 - Prompt Injection LLM06:2025 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub
Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents active threat actor abuse of the OpenClaw skills ecosystem to deliver credential-stealing malware, confirming the platform is an established adversary target. CVE-2026-30741's unauthenticated RCE capability provides a direct alternative path to achieve the same credential exfiltration outcome without requiring victim skill installation, making the incidents structurally related through shared platform and attack objective.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to execute arbitrary code via a Request-Side prompt injection attack.

Exploitation Scenario

An attacker discovers an internet-exposed OpenClaw Agent Platform instance via Shodan or the GitHub PoC's embedded scanning instructions. They send a crafted HTTP request with a prompt injection payload embedded in the user message field — for example, an instruction sequence that overrides the system prompt and directs the agent to execute an OS command via its code execution tool. The OpenClaw platform passes the injected prompt to its underlying LLM without sanitization; the LLM generates a tool call invoking the shell with attacker-supplied arguments. The attacker receives a reverse shell running as the agent process user, then pillages environment variables for LLM API keys and cloud credentials, and moves laterally to connected internal services the agent was authorized to reach.

Weaknesses (CWE)

CWE-94

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
March 11, 2026
Last Modified
March 17, 2026
First Seen
March 11, 2026

Related Vulnerabilities

CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
HIGH CVE-2026-26321 7.5

OpenClaw: path traversal enables local file exfiltration

Same package: openclaw
Back to Threat Feed