GHSA-2qrv-rc5x-2g2h: OpenClaw: untrusted plugin RCE via workspace channel setup

Published April 7, 2026

CISO Take

OpenClaw versions <= 2026.4.1 allow a disabled, untrusted workspace plugin to execute arbitrary in-process code by claiming a bundled channel identifier during workspace setup or login — no explicit user trust decision is required, only cloning a malicious workspace triggers execution. This is a trust-boundary bypass at the most sensitive moment in the agent lifecycle: initialization, before security controls are fully applied. With 37 prior CVEs in the openclaw package and confirmed in-the-wild abuse of its plugin ecosystem (AIID #1368 documented roughly 17% malicious skills in OpenClaw's ClawHub actively exfiltrating credentials), the attack surface is not theoretical — threat actors are already targeting OpenClaw's plugin trust model. Patch all openclaw deployments to >= 2026.4.2 immediately and audit any recently cloned or imported workspaces for unrecognized plugin registrations.

Sources: GitHub Advisory ATLAS AIID

Risk Assessment

Medium severity per CVSS but contextually elevated for AI agent deployments. The trust bypass occurs at setup time, making detection harder than runtime exploits — the plugin runs before the user has a chance to review or reject it. Exploitation requires a victim to clone a malicious workspace, which is achievable via social engineering, malicious workspace marketplaces, or supply chain compromise of shared workspace templates. No public exploit or CISA KEV listing currently, but the pattern aligns precisely with active abuse documented in AIID #1368. Environments where teams share or clone external workspaces face immediate elevated risk.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	<= 2026.4.1	`2026.4.2`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Patch: Upgrade openclaw to >= 2026.4.2 immediately across all environments.
Audit: Review all workspace configurations for unknown or unexpected plugin registrations, especially in recently cloned workspaces.
Restrict: Enforce workspace provenance policies — only allow workspaces from trusted internal sources until patch is confirmed deployed.
Detect: Monitor for unexpected plugin activation events during channel setup/login in agent logs.
Isolate: Run OpenClaw agent processes with least-privilege permissions to limit blast radius if exploitation has already occurred.

Classification

Supply Chain Code Execution Auth Bypass Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0011.002 - Poisoned AI Agent Tool AML.T0081 - Modify AI Agent Configuration AML.T0110 - AI Agent Tool Poisoning

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system lifecycle

NIST AI RMF

GOVERN 1.2 - AI risk management policies

OWASP LLM Top 10

LLM06 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors high confidence

AIID #1368 documents active exploitation of OpenClaw's plugin/skills trust model to execute malicious code and exfiltrate credentials — the exact same package and the same class of trust-boundary vulnerability that GHSA-2qrv-rc5x-2g2h formalizes as a CVE.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

## Summary Before OpenClaw 2026.4.2, built-in channel setup and login could resolve an untrusted workspace channel shadow before the plugin was explicitly trusted. A malicious workspace plugin that claimed a bundled channel id could execute during channel setup even while still disabled. ## Impact A cloned workspace could turn channel setup for a built-in channel into unintended in-process code execution from an untrusted workspace plugin. This bypassed the intended workspace-plugin trust boundary during setup and login. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `53c29df2a9eb242a70d0ff29f3d1e67c8d6801f0` — ignore untrusted workspace channel shadows during setup resolution ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @zpbrent for reporting.

Exploitation Scenario

An adversary publishes a malicious workspace on a public sharing platform or compromises an existing trusted workspace template. The workspace contains a plugin that claims a bundled channel identifier matching a built-in OpenClaw channel. When a victim developer or operator clones the workspace and initiates channel setup or logs in, OpenClaw resolves the channel shadow without verifying plugin trust status, executing the malicious plugin in-process. The plugin can then enumerate credentials stored in the agent configuration, exfiltrate API keys, establish persistence, or laterally pivot to connected AI services — all before the user sees any trust prompt. This mirrors the exact credential-theft pattern observed in AIID #1368.