Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override object values, allowing prototype pollution attacks. Authorized /debug set callers can inject __proto__, constructor, or prototype keys to manipulate object prototypes and bypass command gate restrictions.
AnalysisAI
OpenClaw versions prior to 2026.2.21 are vulnerable to prototype pollution attacks via the /debug set endpoint, allowing authenticated attackers to inject reserved prototype keys (__proto__, constructor, prototype) and manipulate object prototypes to bypass command gate restrictions. The vulnerability requires authenticated access and has relatively low real-world exploitability due to high attack complexity, but presents a meaningful integrity risk for authorized users who may not be aware of this attack vector. A patch is available from the vendor.
Technical ContextAI
The vulnerability is a prototype pollution flaw (CWE-1321) affecting OpenClaw's runtime /debug set override functionality. When handling override object values at the /debug set endpoint, the application fails to sanitize or block prototype-reserved keys that are fundamental to JavaScript object model manipulation. An attacker with authenticated access can inject __proto__, constructor, or prototype keys into runtime objects, allowing them to modify the prototype chain of base objects and inject malicious properties that affect all downstream object instances. This enables bypassing security controls such as command gate restrictions that may be implemented through prototype-based access checks. The CPE identifier cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:* confirms the affected product scope across all versions prior to 2026.2.21.
RemediationAI
Upgrade OpenClaw to version 2026.2.21 or later immediately. The patch is available from the vendor's GitHub repository and should be applied to all affected instances. Until patching can be completed, restrict access to the /debug endpoint to only the minimum necessary authenticated users, disable the /debug endpoint entirely if not required for production operations, and monitor access logs for suspicious /debug set calls containing prototype-reserved keys such as __proto__, constructor, or prototype. Implement additional access controls at the network level to limit which systems can reach the /debug endpoint. See the vendor advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-62f6-mrcj-v8h5 for detailed patching instructions.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12736
GHSA-62f6-mrcj-v8h5