AI Threat Alert

GHSA-49cg-279w-m73x: openclaw: auth bypass via empty approver list

GHSA-49cg-279w-m73x MEDIUM
Published April 17, 2026
CISO Take

openclaw's helper-backed channel approval system contains a missing authorization flaw (CWE-862) where an empty resolved approver list is interpreted as explicit approval, allowing any sender who knows a valid approval ID to bypass the authorization gate and resolve pending approvals without being an authorized approver. With only 4 downstream dependents, no EPSS data, no public exploits, and no KEV listing this vulnerability carries limited immediate blast radius — however, approval gates are the primary human-in-the-loop control in agentic AI workflows, and bypassing them undermines governance, audit trails, and compliance posture for ISO 42001 and EU AI Act obligations. Teams running openclaw should upgrade immediately to version 2026.4.12 or later (2026.4.14 is the latest); detection should focus on approval resolution events from senders absent from the configured approver list in audit logs.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium risk overall, but elevated in AI agent production environments. The vulnerability requires an attacker to possess a valid approval ID, which provides a partial barrier — yet approval IDs in agentic systems may be predictable, logged in plaintext, or obtainable via API responses. The absence of CVSS vector components and EPSS data prevents quantitative exploitation probability assessment. In AI agent contexts, approval gates are a critical governance control; their bypass enables unauthorized autonomous actions whose downstream impact can be disproportionate to the vulnerability's nominal severity rating.

How does the attack unfold?

Approval ID Reconnaissance
Attacker probes the openclaw deployment to enumerate or infer valid approval IDs via API responses, application logs, or predictable ID patterns.
AML.T0006
Authorization Bypass
Attacker submits an approval resolution request with the known approval ID; the empty resolved approver list triggers the missing authorization flaw, granting implicit approval.
AML.T0049
Unauthorized Agent Action Invocation
With the approval gate bypassed, the attacker causes downstream agent tools, API calls, or automated workflows to execute without any legitimate approver having authorized them.
AML.T0053
Impact
Unauthorized agentic actions proceed outside human oversight, potentially causing data exposure, privilege escalation, or compliance violations in the affected AI pipeline.
AML.T0048

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm < 2026.4.12 2026.4.12
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

5 steps

  1. Upgrade openclaw to >= 2026.4.12; the latest stable release 2026.4.14 includes the fix and regression coverage.

  2. As an interim workaround, audit all approval configurations and ensure every approval workflow defines an explicit, non-empty approver list — reject any channel configuration with an empty approver list at the policy level.

  3. Enable audit logging on approval resolution endpoints and alert on resolution events from senders not present in the configured approver list.

  4. Restrict network access to approval resolution endpoints to known trusted services.

  5. Review all agentic workflows where approvals gate privileged or externally-visible actions.

How is it classified?

Auth Bypass Agent Framework AML.T0049 AML.T0053 AML.T0107

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 14 - Human oversight
ISO 42001
6.1.2 - AI risk assessment — access control
NIST AI RMF
GOVERN 1.1 - Accountability mechanisms
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-49cg-279w-m73x?

openclaw's helper-backed channel approval system contains a missing authorization flaw (CWE-862) where an empty resolved approver list is interpreted as explicit approval, allowing any sender who knows a valid approval ID to bypass the authorization gate and resolve pending approvals without being an authorized approver. With only 4 downstream dependents, no EPSS data, no public exploits, and no KEV listing this vulnerability carries limited immediate blast radius — however, approval gates are the primary human-in-the-loop control in agentic AI workflows, and bypassing them undermines governance, audit trails, and compliance posture for ISO 42001 and EU AI Act obligations. Teams running openclaw should upgrade immediately to version 2026.4.12 or later (2026.4.14 is the latest); detection should focus on approval resolution events from senders absent from the configured approver list in audit logs.

Is GHSA-49cg-279w-m73x actively exploited?

No confirmed active exploitation of GHSA-49cg-279w-m73x has been reported, but organizations should still patch proactively.

How to fix GHSA-49cg-279w-m73x?

1. Upgrade openclaw to >= 2026.4.12; the latest stable release 2026.4.14 includes the fix and regression coverage. 2. As an interim workaround, audit all approval configurations and ensure every approval workflow defines an explicit, non-empty approver list — reject any channel configuration with an empty approver list at the policy level. 3. Enable audit logging on approval resolution endpoints and alert on resolution events from senders not present in the configured approver list. 4. Restrict network access to approval resolution endpoints to known trusted services. 5. Review all agentic workflows where approvals gate privileged or externally-visible actions.

What systems are affected by GHSA-49cg-279w-m73x?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic pipelines, human-in-the-loop approval workflows, AI orchestration platforms.

What is the CVSS score for GHSA-49cg-279w-m73x?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksagentic pipelineshuman-in-the-loop approval workflowsAI orchestration platforms

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 14
ISO 42001: 6.1.2
NIST AI RMF: GOVERN 1.1
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

## Summary Empty approver lists could grant explicit approval authorization. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.12` - Patched versions: `>= 2026.4.12` ## Impact For helper-backed channels, an empty resolved approver list could be interpreted as explicit approval authorization, allowing a sender outside the normal channel authorization gate to resolve pending approvals if they knew an approval id. ## Technical Details The fix prevents empty approver lists from granting explicit approval authorization and adds regression coverage for unauthorized senders. ## Fix The issue was fixed in #65714. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `0a105c0900de701d2ee9f1abc96b017afbd0afdd` - PR: #65714 ## Release Process Note Users should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @anshumanbh for reporting this issue.

Exploitation Scenario

An adversary — a malicious insider, a compromised service account, or an external attacker with partial API access — identifies an openclaw deployment with helper-backed approval channels. By enumerating approval IDs through API response inspection, log access, or brute-force of a predictable ID space, the attacker obtains a valid approval ID for a pending approval. The attacker submits an approval resolution request; the empty resolved approver list condition causes openclaw to interpret the request as explicitly authorized. The approval gate passes, and downstream agent actions — tool invocations, data queries, or automated follow-on steps — execute without any legitimate approver sign-off, bypassing the human oversight control entirely.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

References

Timeline

Published
April 17, 2026
Last Modified
April 17, 2026
First Seen
April 18, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33579 9.9

OpenClaw: scope bypass escalates low-priv to admin

Same package: openclaw
CRITICAL CVE-2026-32922 9.9

OpenClaw: privilege escalation to RCE via token scope bypass

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-32038 9.8

Analysis pending

Same package: openclaw
Back to Threat Feed