GHSA-2cq5-mf3v-mx44: OpenClaw exec approval bypass

Q: Is GHSA-2cq5-mf3v-mx44 actively exploited?

No confirmed active exploitation of GHSA-2cq5-mf3v-mx44 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-2cq5-mf3v-mx44?

1. Upgrade openclaw to >= 2026.4.12; the latest stable release 2026.4.14 includes the fix. 2. Until patched, explicitly remove or restrict busybox and toybox from all execution environments where openclaw agents operate. 3. Audit agent tool allowlists to eliminate any opaque multi-call binary from approved tool sets. 4. Review agent execution logs for unexpected applet invocations or anomalous process trees originating from the agent's PID. 5. In containerized deployments, enforce seccomp or AppArmor profiles restricting exec syscalls to an explicit allowlist. 6. Cross-check all installed openclaw skills against the ClawHub advisory dataset for known-malicious entries per AIID #1368 guidance.

CISO Take

A high-severity authorization flaw (CWE-863) in the openclaw AI agent framework allows adversaries to weaponize opaque multi-call binaries like busybox and toybox to obscure which applet actually executes, defeating the exec approval binding that is supposed to prevent unauthorized command execution by the agent. This is a direct attack on the control plane of an AI agent runtime—the mechanism that enforces what actions the agent is permitted to take—creating a path to uncontrolled command execution under the agent's identity and permissions. Although only 4 downstream dependents are currently tracked and no public exploit or KEV listing exists, the real-world abuse potential is validated by AIID #1368, which documented malicious OpenClaw skills actively exfiltrating credentials in February 2026 using the same ecosystem. Organizations running openclaw >= 2026.2.23 and < 2026.4.12 should upgrade immediately to 2026.4.14; no workaround short of removing busybox and toybox from the agent's execution environment is sufficient until the patch is applied.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

HIGH. The vulnerability directly degrades a critical security control in an AI agent framework—exec approval binding—rather than a peripheral feature. CWE-863 (Incorrect Authorization) in an agentic execution context with shell-level tool access is particularly dangerous because agents typically run with broad filesystem and network permissions. The absence of CVSS vector data prevents precise scoring, but the AIID #1368 incident confirms the OpenClaw ecosystem is already an active target for threat actors. Package risk score of 0/100 and low dependent count (4) somewhat limit blast radius, but any organization using openclaw as a production agent runtime should treat this as urgent.

How does the attack unfold?

Tool Injection

Adversary introduces busybox or toybox into the openclaw agent's available tool set via a poisoned ClawHub skill, malicious dependency, or direct filesystem access.

AML.T0010.005

Approval Bypass

Adversary invokes the binary; the pre-fix exec approval binding approves based on binary name alone, unable to resolve applet dispatch and failing open instead of closed.

AML.T0107

Arbitrary Execution

The opaque multi-call binary dispatches an unauthorized applet (e.g., sh, wget, curl) under the agent's runtime identity, fully bypassing all approval controls.

AML.T0053

Credential Exfiltration

Adversary harvests environment variables, API keys, and credentials from the agent's runtime context and exfiltrates them via the agent's network access.

AML.T0086

Tool Injection

Adversary introduces busybox or toybox into the openclaw agent's available tool set via a poisoned ClawHub skill, malicious dependency, or direct filesystem access.

AML.T0010.005

Approval Bypass

Adversary invokes the binary; the pre-fix exec approval binding approves based on binary name alone, unable to resolve applet dispatch and failing open instead of closed.

AML.T0107

Arbitrary Execution

The opaque multi-call binary dispatches an unauthorized applet (e.g., sh, wget, curl) under the agent's runtime identity, fully bypassing all approval controls.

AML.T0053

Credential Exfiltration

Adversary harvests environment variables, API keys, and credentials from the agent's runtime context and exfiltrates them via the agent's network access.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	>= 2026.2.23, < 2026.4.12	`2026.4.12`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

Upgrade openclaw to >= 2026.4.12; the latest stable release 2026.4.14 includes the fix.
Until patched, explicitly remove or restrict busybox and toybox from all execution environments where openclaw agents operate.
Audit agent tool allowlists to eliminate any opaque multi-call binary from approved tool sets.
Review agent execution logs for unexpected applet invocations or anomalous process trees originating from the agent's PID.
In containerized deployments, enforce seccomp or AppArmor profiles restricting exec syscalls to an explicit allowlist.
Cross-check all installed openclaw skills against the ClawHub advisory dataset for known-malicious entries per AIID #1368 guidance.

How is it classified?

Auth Bypass Code Execution Supply Chain Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0074 - Masquerading AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system operation

NIST AI RMF

MANAGE 2.2 - Risks or harms associated with AI are managed

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-2cq5-mf3v-mx44?

A high-severity authorization flaw (CWE-863) in the openclaw AI agent framework allows adversaries to weaponize opaque multi-call binaries like busybox and toybox to obscure which applet actually executes, defeating the exec approval binding that is supposed to prevent unauthorized command execution by the agent. This is a direct attack on the control plane of an AI agent runtime—the mechanism that enforces what actions the agent is permitted to take—creating a path to uncontrolled command execution under the agent's identity and permissions. Although only 4 downstream dependents are currently tracked and no public exploit or KEV listing exists, the real-world abuse potential is validated by AIID #1368, which documented malicious OpenClaw skills actively exfiltrating credentials in February 2026 using the same ecosystem. Organizations running openclaw >= 2026.2.23 and < 2026.4.12 should upgrade immediately to 2026.4.14; no workaround short of removing busybox and toybox from the agent's execution environment is sufficient until the patch is applied.

Is GHSA-2cq5-mf3v-mx44 actively exploited?

No confirmed active exploitation of GHSA-2cq5-mf3v-mx44 has been reported, but organizations should still patch proactively.

How to fix GHSA-2cq5-mf3v-mx44?

1. Upgrade openclaw to >= 2026.4.12; the latest stable release 2026.4.14 includes the fix. 2. Until patched, explicitly remove or restrict busybox and toybox from all execution environments where openclaw agents operate. 3. Audit agent tool allowlists to eliminate any opaque multi-call binary from approved tool sets. 4. Review agent execution logs for unexpected applet invocations or anomalous process trees originating from the agent's PID. 5. In containerized deployments, enforce seccomp or AppArmor profiles restricting exec syscalls to an explicit allowlist. 6. Cross-check all installed openclaw skills against the ClawHub advisory dataset for known-malicious entries per AIID #1368 guidance.

What systems are affected by GHSA-2cq5-mf3v-mx44?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic pipelines, model serving.

What is the CVSS score for GHSA-2cq5-mf3v-mx44?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksagentic pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0074 Masquerading

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: 6.1.2, 8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

## Summary busybox and toybox applet execution weakened exec approval binding. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.2.23 < 2026.4.12` - Patched versions: `>= 2026.4.12` ## Impact Opaque multi-call binaries such as `busybox` and `toybox` could obscure which applet or script-like behavior would actually run, weakening exec approval binding and risk classification. ## Technical Details The fix treats `busybox` and `toybox` as opaque mutable script runners and fails closed rather than binding unsafe applet invocations. ## Fix The issue was fixed in #65713. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `666f48d9b882a8a1415ca53f9567c72499d850c9` - PR: #65713 ## Release Process Note Users should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @decsecre583 for reporting this issue.

Exploitation Scenario

An adversary who can influence tool availability in an openclaw agent—via a poisoned skill published to ClawHub, a malicious upstream dependency, or a prompt injection causing the agent to resolve a new tool—introduces a busybox or toybox binary into the agent's tool context. The pre-fix exec approval binding evaluates the binary name rather than resolving applet dispatch, approving the invocation. At runtime, the adversary crafts arguments that cause busybox to execute an unauthorized applet such as wget, curl, or sh. The agent's runtime then executes the applet under its own identity, allowing the adversary to exfiltrate environment variables containing API keys or credentials, establish a reverse shell for persistent access, or perform lateral movement within the agent's network segment—mirroring the credential theft pattern documented in AIID #1368.

Weaknesses (CWE)

CWE-863 Incorrect Authorization Primary

CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.