CVE-2026-53841: OpenClaw XSS via unsafe links

CISO Take

OpenClaw before 2026.5.12 fails to sanitize `javascript:` and `data:` URI schemes when rendering session exports to HTML, meaning any malicious link embedded in agent conversation content survives into the exported file intact. The Changed scope (CVSS S:C) means a successful click can reach browser context outside the document itself — session tokens, locally accessible cookies, or credentials stored in the operator's browser profile are all in play. With zero privileges required on the attacker side and a typical operator workflow that routinely exports sessions for compliance review or incident investigation, the practical attack surface is larger than the Medium CVSS implies for teams running customer-facing OpenClaw agents. Upgrade to 2026.5.12 immediately; as an interim control, open exported HTML only in a sandboxed viewer or convert to PDF before review.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

Medium risk (CVSS 6.1) with elevated practical concern for AI agent deployments. The zero-privilege, network-accessible attack vector means any external user who can inject content into an OpenClaw session is a potential threat actor — no account or authentication is needed. The required user interaction (clicking the link) prevents autonomous exploitation but is easily triggered through social engineering in a realistic operator workflow. No public exploit exists and the vulnerability is not in CISA KEV, keeping near-term exploitation probability low. The Changed scope is the key escalating factor: if the link is activated, impact extends beyond the vulnerable HTML document to the operator's full browser context.

How does the attack unfold?

Content Injection

Adversary submits a session message to the OpenClaw agent containing a malicious `javascript:` or `data:` URI disguised as a legitimate reference link.

AML.T0051.001

Persistence in Export

The OpenClaw session export function renders conversation history to HTML without sanitizing unsafe URI schemes, preserving the malicious link verbatim in the output file.

AML.T0080.001

User Execution

A trusted operator opens the exported HTML file in a browser during a compliance review or incident investigation and clicks the malicious link.

AML.T0011.003

Browser-Side Impact

The browser executes the attacker-controlled script in the operator's context, potentially exfiltrating session tokens, cookies, or locally accessible credentials to an external endpoint.

AML.T0025

Content Injection

Adversary submits a session message to the OpenClaw agent containing a malicious `javascript:` or `data:` URI disguised as a legitimate reference link.

AML.T0051.001

Persistence in Export

The OpenClaw session export function renders conversation history to HTML without sanitizing unsafe URI schemes, preserving the malicious link verbatim in the output file.

AML.T0080.001

User Execution

A trusted operator opens the exported HTML file in a browser during a compliance review or incident investigation and clicks the malicious link.

AML.T0011.003

Browser-Side Impact

The browser executes the attacker-controlled script in the operator's context, potentially exfiltrating session tokens, cookies, or locally accessible credentials to an external endpoint.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

6.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Changed

C Low

I Low

A None

What should I do?

5 steps

Patch: Upgrade OpenClaw to version 2026.5.12 or later — this release removes the unsafe link passthrough in session HTML exports.
Interim workaround: Prohibit opening exported session HTML directly in any browser; pipe exports through a PDF renderer or text editor instead.
Immediate detection: Scan all previously exported OpenClaw HTML files for href="javascript: and href="data: string patterns — any match warrants review of the originating session.
Defense-in-depth: Enforce a strict Content-Security-Policy header on any internal tooling that serves OpenClaw exports; a script-src 'none' policy blocks inline script execution even if the file is opened via a web server.
Process control: Add a sanitization step (e.g., DOMPurify in an offline script) to existing exported archives before distributing to reviewers.

How is it classified?

Code Execution Social Engineering Data Leakage Agent AML.T0011 - User Execution AML.T0011.003 - Malicious Link AML.T0051.001 - Indirect AML.T0080.001 - Thread

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9(2)(a) - Risk management system — identification and analysis of risks

ISO 42001

8.4 - AI system operation

NIST AI RMF

MS-2.5 - AI system output integrity

OWASP LLM Top 10

LLM02 - Insecure Output Handling

Frequently Asked Questions

What is CVE-2026-53841?

OpenClaw before 2026.5.12 fails to sanitize `javascript:` and `data:` URI schemes when rendering session exports to HTML, meaning any malicious link embedded in agent conversation content survives into the exported file intact. The Changed scope (CVSS S:C) means a successful click can reach browser context outside the document itself — session tokens, locally accessible cookies, or credentials stored in the operator's browser profile are all in play. With zero privileges required on the attacker side and a typical operator workflow that routinely exports sessions for compliance review or incident investigation, the practical attack surface is larger than the Medium CVSS implies for teams running customer-facing OpenClaw agents. Upgrade to 2026.5.12 immediately; as an interim control, open exported HTML only in a sandboxed viewer or convert to PDF before review.

Is CVE-2026-53841 actively exploited?

No confirmed active exploitation of CVE-2026-53841 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53841?

1. Patch: Upgrade OpenClaw to version 2026.5.12 or later — this release removes the unsafe link passthrough in session HTML exports. 2. Interim workaround: Prohibit opening exported session HTML directly in any browser; pipe exports through a PDF renderer or text editor instead. 3. Immediate detection: Scan all previously exported OpenClaw HTML files for `href="javascript:` and `href="data:` string patterns — any match warrants review of the originating session. 4. Defense-in-depth: Enforce a strict Content-Security-Policy header on any internal tooling that serves OpenClaw exports; a `script-src 'none'` policy blocks inline script execution even if the file is opened via a web server. 5. Process control: Add a sanitization step (e.g., DOMPurify in an offline script) to existing exported archives before distributing to reviewers.

What systems are affected by CVE-2026-53841?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI workflow tools, customer-facing AI agents.

What is the CVSS score for CVE-2026-53841?

CVE-2026-53841 has a CVSS v3.1 base score of 6.1 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI workflow toolscustomer-facing AI agents

MITRE ATLAS Techniques

AML.T0011 User Execution

AML.T0011.003 Malicious Link

AML.T0051.001 Indirect

AML.T0080.001 Thread

Compliance Controls Affected

EU AI Act: Article 9(2)(a)

ISO 42001: 8.4

NIST AI RMF: MS-2.5

OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens the exported file and activates a malicious link.

Exploitation Scenario

A threat actor targeting a SOC or compliance team running OpenClaw submits a support ticket through a customer-facing AI agent interface. The ticket body contains a markdown-formatted link using a `data:text/html,<script>...</script>` payload — carefully worded to look like a legitimate reference URL. The OpenClaw agent processes the ticket, stores the conversation in its session database, and the malicious link is preserved verbatim. Three days later, a compliance analyst exports the session batch to HTML for monthly audit evidence, opens the file in Chrome, and clicks the link while reviewing the conversation. The `data:` URI loads an attacker-controlled mini-HTML page in the same browser process, which reads `document.cookie` and `localStorage` values accessible to the local origin and exfiltrates them to an external endpoint — including any session tokens the analyst stored from authenticated internal tools accessed earlier in the same browser session.

Weaknesses (CWE)

CWE-83 Improper Neutralization of Script in Attributes in a Web Page Primary

CWE-83 — Improper Neutralization of Script in Attributes in a Web Page: The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

[Implementation] Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.
[Implementation] Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle X

Source: MITRE CWE corpus.