Improper Output Neutralization for Logs Affecting openclaw package, versions <2026.2.13
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Improper Output Neutralization for Logs vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-OPENCLAW-15307839
- published18 Feb 2026
- disclosed17 Feb 2026
- creditpkerkhofs
Introduced: 17 Feb 2026
New CVE NOT AVAILABLE CWE-117 (opens in a new tab)How to fix?
Upgrade openclaw to version 2026.2.13 or higher.
Overview
openclaw is a 🦞 OpenClaw — Personal AI Assistant
Affected versions of this package are vulnerable to Improper Output Neutralization for Logs via the logging process for WebSocket request headers when a connection is closed before completing the handshake. An attacker can inject crafted header values into logs by sending specially constructed WebSocket requests.
Note: This is only exploitable if logs are later consumed by automation or AI systems that interpret log content without proper sanitization.