Prototype pollution in OpenClaw - CVE-2026-27524
Published: May 1, 2026
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to modify object prototype attributes.
The vulnerability exists due to improperly controlled modification of object prototype attributes in the runtime /debug set override handler when processing override object values containing prototype-reserved keys. A remote user can send a crafted override object to modify object prototype attributes.
The issue affects runtime in-memory overrides only and exploitation requires the /debug feature to be enabled.