{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/system-prompt-injection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openclaw","trust-model","system-prompt-injection","npm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw, a user-controlled local assistant, is susceptible to a vulnerability affecting its trust model. This vulnerability, present in versions 2026.4.2 and earlier, allows authenticated \u003ccode\u003e/hooks/wake\u003c/code\u003e calls and mapped \u003ccode\u003ewake\u003c/code\u003e payloads to be improperly promoted into the trusted \u003ccode\u003eSystem:\u003c/code\u003e prompt channel. This occurs because the application fails to correctly differentiate between trusted system events and untrusted user-supplied events. The issue was reported on April 9th, 2026, and addressed in version 2026.4.8. The vulnerability specifically impacts the OpenClaw trust model, which assumes a single-tenant environment; it is not applicable to multi-tenant service boundaries. Defenders need to ensure OpenClaw is updated to the patched version to mitigate potential security exploits within this trust model.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable OpenClaw instance running version 2026.4.2 or earlier.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the OpenClaw instance.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious payload intended to be interpreted as a standard \u0026ldquo;wake\u0026rdquo; command.\u003c/li\u003e\n\u003cli\u003eAttacker sends a specially crafted \u003ccode\u003e/hooks/wake\u003c/code\u003e request or a mapped \u003ccode\u003ewake\u003c/code\u003e payload containing the malicious content.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, OpenClaw incorrectly promotes the attacker-controlled payload into the trusted \u003ccode\u003eSystem:\u003c/code\u003e prompt channel.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw assistant processes the malicious payload within the \u003ccode\u003eSystem:\u003c/code\u003e context, granting it elevated privileges within the application\u0026rsquo;s trust model.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes arbitrary commands or actions within the OpenClaw environment as a trusted system component.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could involve data manipulation, unauthorized access to local resources, or other malicious activities within the scope of the OpenClaw assistant.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows an attacker to inject malicious commands into the trusted system prompt channel of OpenClaw. Successful exploitation could lead to unauthorized data access, modification, or execution of arbitrary code within the OpenClaw environment. While the advisory does not specify the number of affected users, any instance running OpenClaw version 2026.4.2 or earlier is vulnerable. The primary risk is the compromise of the user\u0026rsquo;s local assistant and potentially the data it manages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.8 or later to remediate the vulnerability (reference: Affected Packages / Versions).\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw logs for suspicious activity related to the \u003ccode\u003e/hooks/wake\u003c/code\u003e endpoint (develop custom rules based on your OpenClaw logging configuration).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to detect potential exploitation attempts by monitoring process execution following \u003ccode\u003e/hooks/wake\u003c/code\u003e requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T14:22:23Z","date_published":"2026-04-09T14:22:23Z","id":"/briefs/2026-04-openclaw-trust-model/","summary":"OpenClaw versions 2026.4.2 and earlier are vulnerable to a trust model issue where authenticated wake hooks or mapped wake payloads can be promoted into the trusted System prompt channel, potentially leading to security vulnerabilities within the OpenClaw trust model.","title":"OpenClaw Trust Model Vulnerability: System Prompt Channel Injection","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-trust-model/"}],"language":"en","title":"CraftedSignal Threat Feed — System-Prompt-Injection","version":"https://jsonfeed.org/version/1.1"}