OpenClaw Flaws Let Prompt Injections Hijack Agent Configs (CVE-2026-35650)

Key Takeaways

• Three vulnerabilities disclosed in OpenClaw, an open-source AI agent and MCP toolchain.
• Prompt-injected model output can rewrite sandbox policies, plugin permissions, and routing hooks.
• Bundled MCP and LSP tools could re-add themselves to the active toolset after policy filtering.
• A malicious .env file could override MINIMAX_API_HOST and redirect API requests to an attacker-controlled host.
• Fixed in OpenClaw 2026.4.20; users on older versions should patch immediately.

Summary

On April 27, 2026, security researchers disclosed three vulnerabilities in OpenClaw, an open-source AI agent and MCP toolchain. The flaws allow prompt-injected model outputs to bypass sandbox policies, smuggle bundled tools past policy filters, and redirect API traffic to attacker-controlled hosts. OpenClaw users running versions before 2026.4.20 should patch immediately to prevent credential theft and unauthorized agent actions across MCP environments.

What We Know

The vulnerabilities were disclosed on April 27, 2026 by CyberSecurityNews and confirmed by multiple independent advisories the same week. Affected versions include all OpenClaw releases prior to 2026.4.20, with at least two CVE assignments tracking the issues, including CVE-2026-35650 and CVE-2026-41361.

The first vulnerability is a gateway configuration bypass. Model outputs that contain crafted prompt-injection payloads can override operator safeguards by writing to trusted configuration paths. Sandbox policies, plugin permissions, routing hooks, MCP server settings, and filesystem protections are all reachable through the bug.

The second vulnerability affects bundled MCP and LSP tools. After initial policy filtering, these tools could re-register themselves into an agent's active toolset, defeating administrator deny lists or restricted access rules.

The third vulnerability affects OpenClaw versions between 2026.4.5 and 2026.4.20. As detailed by GBHackers, a malicious .env file can override the MINIMAX_API_HOST environment variable and redirect outbound API requests to an attacker-controlled host, allowing credential interception. OpenClaw maintainers released version 2026.4.20 to address all three issues, and users are urged to update.

What Could Happen

This is a textbook agent-layer compromise. The first vulnerability blurs the line between a model's content and the agent's control plane. When prompt-injected output is allowed to write to configuration paths, every guardrail downstream becomes negotiable. An attacker who can influence a single prompt can quietly relax sandbox policies, disable plugin restrictions, or rewire MCP routing.

The bundled-tools bypass introduces a temporal trust gap. An administrator may believe a deny list is enforced, but a tool that adds itself to the active toolset after the filter pass effectively launders its permissions. This is the agent equivalent of TOCTOU drift, where time of check and time of use diverge.

The host-override flaw is a classic supply chain redirect. An attacker who can influence a workspace .env file, whether through a poisoned dependency, a forked repository, or a user-installed extension, can silently redirect API traffic and harvest credentials.

Together, the three flaws illustrate the unique blast radius of compromised AI agents. A single payload can exfiltrate tokens, seize routing, and reuse legitimate session permissions to take any action the agent is allowed to take.

Why It Matters

OpenClaw is widely used as connective tissue in agent and MCP deployments. A compromise here propagates not to a single user, but to every agent invocation routed through the toolchain. That includes API calls to language model providers, MCP-mediated access to filesystems, and policy-controlled actions on production endpoints.

For enterprise teams that already treat agent stacks as a software supply chain, this disclosure validates the concern. Agent frameworks now ship with their own configuration surfaces, environment-variable expectations, and bundled capabilities, each of which is a new attack vector unfamiliar to legacy SAST and SCA tools.

The privacy and regulatory stakes are real. As RedPacket Security notes in its CVE tracking, an overridden API host can intercept user prompts, model responses, and embedded data, including PII, source code, and proprietary content. Under the EU AI Act and NIST AI RMF, organizations are expected to maintain visibility and control over models, data flows, and dependencies. A silent redirect of model traffic violates the spirit and likely the letter of those obligations.

The cost of patching is small. The cost of trusting a compromised agent toolchain in production is not.

PointGuard AI Perspective

The OpenClaw flaws sit squarely in the agent control plane, which is the category of risk the PointGuard AI Agentic Security platform is built to neutralize.

Our discovery and inventory layer identifies every agent, MCP server, and bundled tool running across Databricks, GitHub, and major cloud platforms, including the transitively bundled components that legacy tools miss. Risk knowledge bases score open-source agent toolchains before they reach production, so customers running an unpatched OpenClaw version surface immediately rather than waiting for the next bulletin.

AI Security Posture Management continuously hardens agent configurations against the exact misconfiguration pattern in CVE-2026-35650, including writable policy paths, exposed environment variables, and unsigned bundled tools. Findings map directly to the Databricks AI Security Framework and to NIST AI RMF controls.

The Agent Security Mesh provides runtime defense against prompt-injected configuration writes by intercepting every agent action at sub-millisecond latency. It enforces cryptographic agent identities, isolates agents in a hypervisor sandbox with kill-switch and ring isolation, and blocks tool re-registration that would defeat policy filtering. For host-override attacks, the MCP Security Gateway inspects outbound traffic in real time and flags unauthorized API host changes before credentials leave the environment.

OpenClaw is fixable with a version bump. The vulnerability category is not. Runtime intent-to-action enforcement is the durable answer for trustworthy agent adoption.

Incident Scorecard Details

Total AISSI Score: 6.8/10

Criticality = 8, configuration paths, MCP servers, and API credentials are highly sensitive AI assets, AISSI weighting: 25%

Propagation = 8, connected exploit path through MCP, bundled tools, and shared agent toolchains, AISSI weighting: 20%

Exploitability = 5, public CVE disclosure with proof-of-concept but no widespread exploitation reported, AISSI weighting: 15%

Supply Chain = 8, heavy dependence on third-party bundled tools and open-source MCP and LSP components, AISSI weighting: 15%

Business Impact = 5, patch issued and no confirmed exploitation, but high credible exposure for organizations on unpatched versions, AISSI weighting: 25%

Sources

• Multiple OpenClaw Vulnerabilities Enable Policy Bypass and Host Override (CyberSecurityNews)
• OpenClaw Flaws Expose Systems to Policy Bypass Attacks (GBHackers)
• CVE Alert: CVE-2026-35650 (RedPacket Security)