CVE-2026-35651 — MEDIUM (CVSS 4.3) AI Security Vulnerability

CISO Take

OpenClaw AI agent framework (versions 2026.2.13–2026.3.24) contains an ANSI escape sequence injection flaw (CWE-150) that lets attackers manipulate terminal output in human approval prompts by embedding control characters in malicious tool metadata. The direct blast radius is any team relying on OpenClaw's built-in approval prompts as a human-in-the-loop control — the very mechanism designed to prevent unauthorized agent actions can be visually spoofed to display a benign-looking tool name while the actual invocation executes something entirely different. CVSS sits at 4.3 (Medium) with no active exploitation in the wild, no public exploit code, and no CISA KEV listing — but this vulnerability targets the oversight layer rather than compute or data, making it architecturally significant beyond its score for teams where human approval is the primary agentic safety control. Upgrade to a build after 2026.3.24 (commit 464e2c10) and audit permission logs for raw ANSI control sequences (patterns beginning with \x1b[) that may indicate prior exploitation.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

The raw CVSS score of 4.3 understates real-world risk in agentic AI environments. While exploitation requires user interaction — attenuating automated mass exploitation — the attack strikes directly at human oversight controls that AI security frameworks treat as a primary safeguard. An agent framework where approval prompts can be visually spoofed reduces the human reviewer to a security theater participant. Teams that have implemented human-in-the-loop approval as their primary control against unauthorized agentic actions should treat this as functionally higher risk than the score implies. The absence of EPSS data, public exploits, and KEV listing keeps this from emergency-patch territory, but its novelty as an oversight-evasion vector warrants prompt remediation in any environment running OpenClaw agent pipelines.

Attack Kill Chain

Malicious Tool Delivery

Attacker publishes or injects a tool with crafted ANSI escape sequences in its title or metadata into a registry or tool repository accessible to the target's OpenClaw agent environment.

AML.T0010.005

Approval Prompt Spoofing

OpenClaw renders the malicious tool title in a terminal approval prompt; ANSI sequences overwrite the displayed output, causing the operator to see a false, benign-looking tool name and description.

AML.T0074

Human Oversight Bypass

The operator approves what appears to be a safe, recognized tool invocation, granting execution to the malicious tool with full agent-level permissions based on the spoofed display.

AML.T0107

Execution with Log Corruption

The malicious tool executes its payload while permission logs record the ANSI-spoofed benign tool name, leaving no accurate audit trail of the true action taken and impairing forensic investigation.

AML.T0099

Malicious Tool Delivery

Attacker publishes or injects a tool with crafted ANSI escape sequences in its title or metadata into a registry or tool repository accessible to the target's OpenClaw agent environment.

AML.T0010.005

Approval Prompt Spoofing

OpenClaw renders the malicious tool title in a terminal approval prompt; ANSI sequences overwrite the displayed output, causing the operator to see a false, benign-looking tool name and description.

AML.T0074

Human Oversight Bypass

The operator approves what appears to be a safe, recognized tool invocation, granting execution to the malicious tool with full agent-level permissions based on the spoofed display.

AML.T0107

Execution with Log Corruption

The malicious tool executes its payload while permission logs record the ANSI-spoofed benign tool name, leaving no accurate audit trail of the true action taken and impairing forensic investigation.

AML.T0099

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	pip	—	No patch

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

4.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C None

I Low

A None

Recommended Action

Patch: upgrade OpenClaw to a release incorporating commit 464e2c10a5edceb380d815adb6ff56e1a4c50f60.
Detection: scan permission logs and terminal captures for raw ANSI control sequences (regex: \x1b\[[0-9;]*[A-Za-z] or ESC character \x1b); presence in approval logs indicates potential exploitation.
Short-term workaround if immediate patching is not possible: pipe approval prompt output through a terminal ANSI sanitizer (strip-ansi or equivalent) or route approvals through a GUI/web interface that does not interpret ANSI escape codes.
Process control: require secondary out-of-band confirmation for high-privilege tool approvals until patched, using a separate channel not subject to terminal rendering.
Log integrity: correlate tool invocation records against structured API-level logs rather than terminal output to detect spoofing discrepancies.

Classification

Social Engineering Supply Chain Auth Bypass Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0053 - AI Agent Tool Invocation AML.T0074 - Masquerading AML.T0099 - AI Agent Tool Data Poisoning AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 14 - Human Oversight

ISO 42001

A.9.1 - Monitoring, Measurement, Analysis and Evaluation

NIST AI RMF

GOVERN 1.2 - Accountability and Oversight

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2026-35651?

OpenClaw AI agent framework (versions 2026.2.13–2026.3.24) contains an ANSI escape sequence injection flaw (CWE-150) that lets attackers manipulate terminal output in human approval prompts by embedding control characters in malicious tool metadata. The direct blast radius is any team relying on OpenClaw's built-in approval prompts as a human-in-the-loop control — the very mechanism designed to prevent unauthorized agent actions can be visually spoofed to display a benign-looking tool name while the actual invocation executes something entirely different. CVSS sits at 4.3 (Medium) with no active exploitation in the wild, no public exploit code, and no CISA KEV listing — but this vulnerability targets the oversight layer rather than compute or data, making it architecturally significant beyond its score for teams where human approval is the primary agentic safety control. Upgrade to a build after 2026.3.24 (commit 464e2c10) and audit permission logs for raw ANSI control sequences (patterns beginning with \x1b[) that may indicate prior exploitation.

Is CVE-2026-35651 actively exploited?

No confirmed active exploitation of CVE-2026-35651 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35651?

1. Patch: upgrade OpenClaw to a release incorporating commit 464e2c10a5edceb380d815adb6ff56e1a4c50f60. 2. Detection: scan permission logs and terminal captures for raw ANSI control sequences (regex: \x1b\[[0-9;]*[A-Za-z] or ESC character \x1b); presence in approval logs indicates potential exploitation. 3. Short-term workaround if immediate patching is not possible: pipe approval prompt output through a terminal ANSI sanitizer (strip-ansi or equivalent) or route approvals through a GUI/web interface that does not interpret ANSI escape codes. 4. Process control: require secondary out-of-band confirmation for high-privilege tool approvals until patched, using a separate channel not subject to terminal rendering. 5. Log integrity: correlate tool invocation records against structured API-level logs rather than terminal output to detect spoofing discrepancies.

What systems are affected by CVE-2026-35651?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, human-in-the-loop approval pipelines, multi-tool AI orchestration.

What is the CVSS score for CVE-2026-35651?

CVE-2026-35651 has a CVSS v3.1 base score of 4.3 (MEDIUM).

Technical Details

NVD Description

OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can carry ANSI control sequences into approval prompts and permission logs, enabling attackers to manipulate displayed information through malicious tool titles.

Exploitation Scenario

An adversary publishes a malicious AI agent tool to a public registry or compromises a private tool repository accessible to the target's OpenClaw deployment. The tool's metadata title contains crafted ANSI escape sequences — for example, cursor-up and line-erase sequences followed by 'Read-only directory listing (safe)' — while the actual tool definition executes a data exfiltration or lateral movement command. When a developer or SOC analyst running OpenClaw encounters the approval prompt for this tool, the terminal display overwrites the real tool name with the spoofed benign label. The analyst approves the action, the malicious tool executes with full agent-level permissions. Because the permission log also captures the unsanitized title, the audit trail records the spoofed name — giving the attacker both execution and post-incident cover.