概要
A severe “log poisoning” vulnerability has been discovered in the popular OpenClaw AI assistant, potentially allowing attackers to manipulate the agent’s behavior through indirect prompt injection. This issue was identified by security researchers from Eye Security and affects the WebSocket connection-handling code.
脆弱性分析
The core of the issue lies in the WebSocket connection-handling code, specifically in the ws-connection.ts file. When a connection is closed, OpenClaw logs debug information including the User-Agent and Origin headers. Security researchers discovered that these fields were not sanitized before being written to the logs.
Injected payload (Source: Eye Security)
The system accepted payloads of up to 14.8KB in these headers, providing ample space for attackers to embed complex instructions or “skills” designed to trick the AI.
攻撃シナリオと影響
In a realistic attack scenario, a threat actor connects to an exposed OpenClaw instance (typically on TCP port 18789) and sends a crafted WebSocket request that includes a malicious payload in the request headers. This action requires no authentication.
- The payload is then written to the log files.
- When an administrator later asks OpenClaw to debug a connection issue, the agent reads the poisoned log.
This can potentially influence its decisions, alter troubleshooting steps, or cause it to leak sensitive data.
脆弱性プロファイル詳細
| コンポーネント | WebSocket Handler (ws-connection.ts) |
|---|---|
| 攻撃ベクトル | 間接的なプロンプトインジェクション(ログファイル経由) |
| 注入ポイント | User-Agent および Origin HTTP ヘッダー |
| ペイロード容量 | 約14.8 KB |
| アドバイザリID | GHSA-g27f-9qjv-22pm |
| パッチの状況 | Pull Request #15592 で修正済み |
対策とアップデート
The OpenClaw maintainers have patched this vulnerability in version 2026.2.13 by sanitizing user-controlled input in core logging paths and limiting header sizes.
- ユーザーはすぐにインスタンスを更新することをお勧めします。
- セキュリティ専門家は、AIエージェントをプライマリユーザーアカウントではなく、最低限の権限を持つ独自のアイデンティティで実行することを推奨しています。
- 管理者は、強力な認証なしでインターネットに直接公開しないようにするべきです。
結論
This vulnerability highlights the importance of securing AI systems and ensuring that they are not susceptible to indirect attacks through log files. Users should update their OpenClaw instances immediately and follow best practices for securing such systems.