Platform
nodejs
Component
openclaw
Fixed in
2026.2.23
2026.2.23
CVE-2026-32040 describes a cross-site scripting (XSS) vulnerability within the HTML session exporter component of OpenClaw. This flaw arises from the improper handling of img.mimeType values when constructing HTML <img> tags, allowing attackers to inject malicious JavaScript. Affected versions are those prior to 2026.2.23; upgrading to this version resolves the issue.
An attacker can exploit this vulnerability by crafting tool results or manipulating session data to include images with malicious mimeType values. These values, when interpolated into the HTML src attribute without proper escaping, can break out of the attribute context and execute arbitrary JavaScript code in the user's browser. This could lead to session hijacking, data theft, or defacement of the OpenClaw interface. The successful exploitation requires the attacker to control image content blocks within the session data, making it a slightly more constrained attack vector than generic XSS.
This vulnerability was publicly disclosed on 2026-03-03. There is currently no indication of active exploitation campaigns targeting CVE-2026-32040. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32040 is to upgrade OpenClaw to version 2026.2.23 or later, which includes the necessary fixes to properly sanitize img.mimeType values. If upgrading is not immediately feasible, consider implementing input validation on the server-side to restrict allowed mimeType values to a whitelist of safe types. While not a complete solution, this can reduce the attack surface. There are no specific WAF rules or detection signatures readily available for this specific vulnerability, so focus on the upgrade and input validation.
Update OpenClaw to version 2026.2.23 or later. This version fixes the HTML injection vulnerability by correctly validating image MIME types in content blocks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32040 is a cross-site scripting (XSS) vulnerability in OpenClaw's HTML session exporter. It allows attackers to inject JavaScript code when exporting HTML sessions if image mimeType values are not properly validated.
You are affected if you are using OpenClaw versions prior to 2026.2.23 and allow users to upload or provide data that is included in session exports.
Upgrade OpenClaw to version 2026.2.23 or later. As a temporary workaround, implement server-side input validation to restrict allowed mimeType values.
There is currently no indication of active exploitation campaigns targeting CVE-2026-32040.
Refer to the OpenClaw project's official website or GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.