A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to execute arbitrary code via a Request-Side prompt injection attack.

Description

Affected Products

Vendor	Product	Versions
openclaw	openclaw	<= 2026.2.6

References

https://github.com/Named1ess/CVE-2026-30741(Exploit)
https://github.com/OpenClaw/OpenClaw(Product)
https://www.bilibili.com/video/BV1LoFazeEBM(Exploit)

Related News (1 articles)

Tier E

Hacker News19h ago

OpenClaw CVE and Security Advisory Tracker

→ No new info (linked only)

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

CWECWE-94

PublishedMar 11, 2026

Last enriched3d ago

Trending Score28

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-33579

OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval

Trending: 39

HIGHCVE-2026-34511EXP

OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter

Trending: 37

NONECVE-2026-34425EXP

OpenClaw - Shell-Bleed Protection Preflight Validation Bypass

Trending: 34

CRITICALCVE-2026-28363

In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlist mode, leading to approval-free executio

Trending: 28

NONECVE-2026-34426

OpenClaw - Approval Bypass via Environment Variable Normalization

Trending: 19

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 11, 2026

Discovered by ZDM

Apr 1, 2026