CVE-2026-35651: OpenClaw: ANSI injection spoof AI agent approval prompts
MEDIUMOpenClaw AI agent framework (versions 2026.2.13–2026.3.24) contains an ANSI escape sequence injection flaw (CWE-150) that lets attackers manipulate terminal output in human approval prompts by embedding control characters in malicious tool metadata. The direct blast radius is any team relying on OpenClaw's built-in approval prompts as a human-in-the-loop control — the very mechanism designed to prevent unauthorized agent actions can be visually spoofed to display a benign-looking tool name while the actual invocation executes something entirely different. CVSS sits at 4.3 (Medium) with no active exploitation in the wild, no public exploit code, and no CISA KEV listing — but this vulnerability targets the oversight layer rather than compute or data, making it architecturally significant beyond its score for teams where human approval is the primary agentic safety control. Upgrade to a build after 2026.3.24 (commit 464e2c10) and audit permission logs for raw ANSI control sequences (patterns beginning with \x1b[) that may indicate prior exploitation.
What is the risk?
The raw CVSS score of 4.3 understates real-world risk in agentic AI environments. While exploitation requires user interaction — attenuating automated mass exploitation — the attack strikes directly at human oversight controls that AI security frameworks treat as a primary safeguard. An agent framework where approval prompts can be visually spoofed reduces the human reviewer to a security theater participant. Teams that have implemented human-in-the-loop approval as their primary control against unauthorized agentic actions should treat this as functionally higher risk than the score implies. The absence of EPSS data, public exploits, and KEV listing keeps this from emergency-patch territory, but its novelty as an oversight-evasion vector warrants prompt remediation in any environment running OpenClaw agent pipelines.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | pip | — | No patch |
Do you use OpenClaw? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch: upgrade OpenClaw to a release incorporating commit 464e2c10a5edceb380d815adb6ff56e1a4c50f60.
-
Detection: scan permission logs and terminal captures for raw ANSI control sequences (regex: \x1b\[[0-9;]*[A-Za-z] or ESC character \x1b); presence in approval logs indicates potential exploitation.
-
Short-term workaround if immediate patching is not possible: pipe approval prompt output through a terminal ANSI sanitizer (strip-ansi or equivalent) or route approvals through a GUI/web interface that does not interpret ANSI escape codes.
-
Process control: require secondary out-of-band confirmation for high-privilege tool approvals until patched, using a separate channel not subject to terminal rendering.
-
Log integrity: correlate tool invocation records against structured API-level logs rather than terminal output to detect spoofing discrepancies.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-35651?
OpenClaw AI agent framework (versions 2026.2.13–2026.3.24) contains an ANSI escape sequence injection flaw (CWE-150) that lets attackers manipulate terminal output in human approval prompts by embedding control characters in malicious tool metadata. The direct blast radius is any team relying on OpenClaw's built-in approval prompts as a human-in-the-loop control — the very mechanism designed to prevent unauthorized agent actions can be visually spoofed to display a benign-looking tool name while the actual invocation executes something entirely different. CVSS sits at 4.3 (Medium) with no active exploitation in the wild, no public exploit code, and no CISA KEV listing — but this vulnerability targets the oversight layer rather than compute or data, making it architecturally significant beyond its score for teams where human approval is the primary agentic safety control. Upgrade to a build after 2026.3.24 (commit 464e2c10) and audit permission logs for raw ANSI control sequences (patterns beginning with \x1b[) that may indicate prior exploitation.
Is CVE-2026-35651 actively exploited?
No confirmed active exploitation of CVE-2026-35651 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-35651?
1. Patch: upgrade OpenClaw to a release incorporating commit 464e2c10a5edceb380d815adb6ff56e1a4c50f60. 2. Detection: scan permission logs and terminal captures for raw ANSI control sequences (regex: \x1b\[[0-9;]*[A-Za-z] or ESC character \x1b); presence in approval logs indicates potential exploitation. 3. Short-term workaround if immediate patching is not possible: pipe approval prompt output through a terminal ANSI sanitizer (strip-ansi or equivalent) or route approvals through a GUI/web interface that does not interpret ANSI escape codes. 4. Process control: require secondary out-of-band confirmation for high-privilege tool approvals until patched, using a separate channel not subject to terminal rendering. 5. Log integrity: correlate tool invocation records against structured API-level logs rather than terminal output to detect spoofing discrepancies.
What systems are affected by CVE-2026-35651?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, human-in-the-loop approval pipelines, multi-tool AI orchestration.
What is the CVSS score for CVE-2026-35651?
CVE-2026-35651 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.26%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.005 AI Agent Tool AML.T0053 AI Agent Tool Invocation AML.T0074 Masquerading AML.T0099 AI Agent Tool Data Poisoning AML.T0107 Exploitation for Defense Evasion Compliance Controls Affected
What are the technical details?
Original Advisory
OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can carry ANSI control sequences into approval prompts and permission logs, enabling attackers to manipulate displayed information through malicious tool titles.
Exploitation Scenario
An adversary publishes a malicious AI agent tool to a public registry or compromises a private tool repository accessible to the target's OpenClaw deployment. The tool's metadata title contains crafted ANSI escape sequences — for example, cursor-up and line-erase sequences followed by 'Read-only directory listing (safe)' — while the actual tool definition executes a data exfiltration or lateral movement command. When a developer or SOC analyst running OpenClaw encounters the approval prompt for this tool, the terminal display overwrites the real tool name with the spoofed benign label. The analyst approves the action, the malicious tool executes with full agent-level permissions. Because the permission log also captures the unsanitized title, the audit trail records the spoofed name — giving the attacker both execution and post-incident cover.
Weaknesses (CWE)
CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences
Primary
CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences CWE-150 — Improper Neutralization of Escape, Meta, or Control Sequences: The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
- Developers should anticipate that escape, meta and control characters/sequences will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw