CVE-2026-30741: OpenClaw: RCE via request-side prompt injection

CRITICAL PoC AVAILABLE CISA: TRACK*
Published March 11, 2026
CISO Take

CVE-2026-30741 is a critical remote code execution flaw (CVSS 9.8) in OpenClaw Agent Platform v2026.2.6, exploitable by any unauthenticated remote attacker through a crafted prompt injection in the request path — no privileges, no user interaction required. A working PoC is publicly available on GitHub alongside a Bilibili exploitation walkthrough, placing this firmly in script-kiddie territory and making mass exploitation a near-term certainty. OpenClaw is already the 11th CVE in this package, and the AI Incident Database records an active threat actor campaign abusing the platform to deliver credential-stealing malware — indicating this ecosystem is actively targeted. Take all internet-exposed OpenClaw instances offline immediately or firewall them to trusted sources only, rotate all credentials accessible to the agent runtime, and monitor for anomalous child process spawning from the agent process.

Sources: NVD ATLAS GitHub Advisory

What is the risk?

Risk is critical. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N means any network-reachable OpenClaw deployment is trivially exploitable with zero setup cost. Public PoC plus a video walkthrough eliminate the skills barrier entirely. While not yet in CISA KEV, the combination of full CIA triad impact, network attack vector, low complexity, and available exploit code makes active widespread exploitation highly probable in days, not weeks. The AI agent category amplifies blast radius — compromised agent platforms typically hold LLM API keys, RAG database credentials, internal service tokens, and broad tool access.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw pip No patch
4 dependents 41% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.8%
chance of exploitation in 30 days
Higher than 52% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

7 steps
  1. Patch to the latest fixed version of OpenClaw Agent Platform as soon as it is available.

  2. If no patch exists, immediately restrict network access — firewall affected instances to trusted IP ranges only or take offline.

  3. Audit agent tool permissions and enforce least-privilege; disable code execution, shell, or file system tools unless strictly required.

  4. Rotate all credentials and API keys in the agent's environment variables and configuration files.

  5. Enable process monitoring and alert on child processes spawned by the agent runtime (e.g., bash, sh, cmd, powershell).

  6. Deploy input validation or a WAF upstream to block known prompt injection patterns.

  7. Review audit logs for requests containing instruction-override sequences or system prompt bypass patterns coinciding with the publication date (2026-03-11 onward).

What does CISA's SSVC say?

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - AI system security controls
NIST AI RMF
MANAGE-2.2 - Mechanisms to maintain AI system security and resilience
OWASP LLM Top 10
LLM01:2025 - Prompt Injection LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-30741?

CVE-2026-30741 is a critical remote code execution flaw (CVSS 9.8) in OpenClaw Agent Platform v2026.2.6, exploitable by any unauthenticated remote attacker through a crafted prompt injection in the request path — no privileges, no user interaction required. A working PoC is publicly available on GitHub alongside a Bilibili exploitation walkthrough, placing this firmly in script-kiddie territory and making mass exploitation a near-term certainty. OpenClaw is already the 11th CVE in this package, and the AI Incident Database records an active threat actor campaign abusing the platform to deliver credential-stealing malware — indicating this ecosystem is actively targeted. Take all internet-exposed OpenClaw instances offline immediately or firewall them to trusted sources only, rotate all credentials accessible to the agent runtime, and monitor for anomalous child process spawning from the agent process.

Is CVE-2026-30741 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-30741, increasing the risk of exploitation.

How to fix CVE-2026-30741?

1. Patch to the latest fixed version of OpenClaw Agent Platform as soon as it is available. 2. If no patch exists, immediately restrict network access — firewall affected instances to trusted IP ranges only or take offline. 3. Audit agent tool permissions and enforce least-privilege; disable code execution, shell, or file system tools unless strictly required. 4. Rotate all credentials and API keys in the agent's environment variables and configuration files. 5. Enable process monitoring and alert on child processes spawned by the agent runtime (e.g., bash, sh, cmd, powershell). 6. Deploy input validation or a WAF upstream to block known prompt injection patterns. 7. Review audit logs for requests containing instruction-override sequences or system prompt bypass patterns coinciding with the publication date (2026-03-11 onward).

What systems are affected by CVE-2026-30741?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, AI agent deployments, Multi-agent orchestration systems, LLM-powered automation pipelines, Agentic SaaS platforms.

What is the CVSS score for CVE-2026-30741?

CVE-2026-30741 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.80%.

What is the AI security impact?

Affected AI Architectures

Agent frameworksAI agent deploymentsMulti-agent orchestration systemsLLM-powered automation pipelinesAgentic SaaS platforms

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0051 LLM Prompt Injection
AML.T0051.000 Direct
AML.T0053 AI Agent Tool Invocation
AML.T0112 Machine Compromise

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.3
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM01:2025, LLM06:2025

What are the technical details?

Original Advisory

A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to execute arbitrary code via a Request-Side prompt injection attack.

Exploitation Scenario

An attacker discovers an internet-exposed OpenClaw Agent Platform instance via Shodan or the GitHub PoC's embedded scanning instructions. They send a crafted HTTP request with a prompt injection payload embedded in the user message field — for example, an instruction sequence that overrides the system prompt and directs the agent to execute an OS command via its code execution tool. The OpenClaw platform passes the injected prompt to its underlying LLM without sanitization; the LLM generates a tool call invoking the shell with attacker-supplied arguments. The attacker receives a reverse shell running as the agent process user, then pillages environment variables for LLM API keys and cloud credentials, and moves laterally to connected internal services the agent was authorized to reach.

Weaknesses (CWE)

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
March 11, 2026
Last Modified
March 17, 2026
First Seen
March 11, 2026

Related Vulnerabilities