Insufficient verification of data authenticity in OpenClaw - #VU135898
Published: June 30, 2026
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to perform unauthorized actions.
The vulnerability exists due to insufficient verification of data authenticity in the HTTP Canvas response handling for trusted A2UI actions when processing lower-trust caller input or configured input paths. A remote attacker can provide a specially crafted response or input path to perform unauthorized actions.
Exploitation requires the affected feature to be enabled and reachable, and practical impact depends on whether lower-trust input can reach the affected path. User interaction is required.