GHSA-3fv3-6p2v-gxwj — MEDIUM AI Security Vulnerability

Q: Is GHSA-3fv3-6p2v-gxwj actively exploited?

No confirmed active exploitation of GHSA-3fv3-6p2v-gxwj has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-3fv3-6p2v-gxwj?

1. Upgrade openclaw to version 2026.4.8 (patched, commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5). 2. Audit QQ Bot extension configuration to verify SSRF allowlists cover all media fetch code paths post-upgrade. 3. Apply host-level or container egress controls to restrict outbound connections from the OpenClaw process to only required external endpoints — block access to RFC-1918 ranges and 169.254.169.254. 4. Monitor process-level network logs for unexpected requests to internal ranges originating from the OpenClaw binary. 5. Given the package's 60-CVE history, evaluate whether openclaw meets your organization's third-party software acceptance criteria.

Q: What systems are affected by GHSA-3fv3-6p2v-gxwj?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI assistant integrations, messaging platform plugins.

Q: What is the CVSS score for GHSA-3fv3-6p2v-gxwj?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's QQ Bot extension failed to route all media download paths through its SSRF guard and allowlist policy, meaning a crafted media URL in a QQ message could cause the agent to make unauthorized requests to internal network resources. The vendor explicitly scoped this to OpenClaw's local-assistant trust model — this is not a multi-tenant service boundary issue — and severity is medium with no CVSS vector, no EPSS data, no public exploit, and no CISA KEV listing. That said, SSRF in an AI agent tool is particularly sensitive because the agent process often has access to cloud metadata endpoints (169.254.169.254), locally running services, or internal APIs that a browser-based SSRF would not reach. Teams running OpenClaw should upgrade to 2026.4.8 immediately; no workaround short of patching is documented.

Sources: GitHub Advisory ATLAS CISA KEV

Risk Assessment

Medium risk in practice. The local-assistant trust model limits blast radius compared to a multi-tenant deployment, but SSRF in an AI agent tool is more dangerous than in a typical web app because agent processes frequently run with elevated local network access. The package's history of 60 CVEs is a material signal about overall security posture and should factor into adoption decisions. No active exploitation evidence exists today.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Upgrade openclaw to version 2026.4.8 (patched, commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5).
Audit QQ Bot extension configuration to verify SSRF allowlists cover all media fetch code paths post-upgrade.
Apply host-level or container egress controls to restrict outbound connections from the OpenClaw process to only required external endpoints — block access to RFC-1918 ranges and 169.254.169.254.
Monitor process-level network logs for unexpected requests to internal ranges originating from the OpenClaw binary.
Given the package's 60-CVE history, evaluate whether openclaw meets your organization's third-party software acceptance criteria.

Classification

Data Extraction Auth Bypass Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning AML.T0083 - Credentials from AI Agent Configuration AML.T0086 - Exfiltration via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system security A.6.2.6 - AI system security controls

NIST AI RMF

MANAGE 2.2 - Mechanisms to ensure AI system correctability

OWASP LLM Top 10

LLM06:2025 - Excessive Agency LLM07:2025 - System Prompt Leakage LLM08:2025 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 describes adversarial abuse of OpenClaw's extension/skills ecosystem to exfiltrate credentials from the same package. An unguarded SSRF in the QQ Bot media fetch path represents the same class of boundary failure — unauthorized data access from the local environment — that enabled the AMOS stealer delivery via ClawHub, and could be chained with a malicious skill to reach internal credential stores.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-3fv3-6p2v-gxwj?

OpenClaw's QQ Bot extension failed to route all media download paths through its SSRF guard and allowlist policy, meaning a crafted media URL in a QQ message could cause the agent to make unauthorized requests to internal network resources. The vendor explicitly scoped this to OpenClaw's local-assistant trust model — this is not a multi-tenant service boundary issue — and severity is medium with no CVSS vector, no EPSS data, no public exploit, and no CISA KEV listing. That said, SSRF in an AI agent tool is particularly sensitive because the agent process often has access to cloud metadata endpoints (169.254.169.254), locally running services, or internal APIs that a browser-based SSRF would not reach. Teams running OpenClaw should upgrade to 2026.4.8 immediately; no workaround short of patching is documented.

Is GHSA-3fv3-6p2v-gxwj actively exploited?

No confirmed active exploitation of GHSA-3fv3-6p2v-gxwj has been reported, but organizations should still patch proactively.

How to fix GHSA-3fv3-6p2v-gxwj?

1. Upgrade openclaw to version 2026.4.8 (patched, commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5). 2. Audit QQ Bot extension configuration to verify SSRF allowlists cover all media fetch code paths post-upgrade. 3. Apply host-level or container egress controls to restrict outbound connections from the OpenClaw process to only required external endpoints — block access to RFC-1918 ranges and 169.254.169.254. 4. Monitor process-level network logs for unexpected requests to internal ranges originating from the OpenClaw binary. 5. Given the package's 60-CVE history, evaluate whether openclaw meets your organization's third-party software acceptance criteria.

What systems are affected by GHSA-3fv3-6p2v-gxwj?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI assistant integrations, messaging platform plugins.

What is the CVSS score for GHSA-3fv3-6p2v-gxwj?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact QQ Bot Extension: Missing SSRF Protection on All Media Fetch Paths. QQ Bot media download paths were not consistently routed through the SSRF guard and allowlist policy. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @adithyan-ak for reporting.

Exploitation Scenario

An adversary with the ability to send QQ messages to an OpenClaw user (e.g., a social engineering lure or a compromised QQ contact) embeds a media attachment URL pointing to an internal target such as http://169.254.169.254/latest/meta-data/ on a cloud instance or http://localhost:8080/api/admin on a locally running service. When OpenClaw's QQ Bot extension processes the message and fetches the media, it takes a code path that was not covered by the SSRF guard, bypassing the allowlist policy. The HTTP response from the internal target is returned to the agent context; if the agent logs, displays, or further processes this response, the attacker gains read access to internal data or can probe services behind the local network boundary.