GHSA-4f8g-77mw-3rxc — LOW AI Security Vulnerability

Q: Is GHSA-4f8g-77mw-3rxc actively exploited?

No confirmed active exploitation of GHSA-4f8g-77mw-3rxc has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-4f8g-77mw-3rxc?

1. Upgrade openclaw to ≥2026.4.8 (npm) immediately. 2. Verify the fix by confirming commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5 is present in your installed version. 3. Audit all gateway plugin HTTP routes for auth: gateway configurations and validate that operator scopes align with actual runtime behavior post-patch. 4. Pre-patch workaround: disable gateway plugin HTTP routes or restrict them to integrations where downstream write operations carry no material consequence. 5. Given the 60-CVE package history, perform a broader trust assessment of openclaw before using it in any environment where agent write actions have organizational impact.

Q: What systems are affected by GHSA-4f8g-77mw-3rxc?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, plugin systems.

Q: What is the CVSS score for GHSA-4f8g-77mw-3rxc?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's gateway plugin HTTP authentication handler incorrectly elevates operator.read-scoped requests to operator.write at runtime, granting unintended write capabilities to components that declared only read access. While the advisory scopes this to a single-user local assistant with no multi-tenant blast radius and no CVSS score or active exploitation on record, the package has accumulated 60 CVEs — a pattern of systemic security debt that should inform any decision to deploy OpenClaw in an organizational context. No public exploit is available and EPSS data is absent, but the deterministic nature of the scope widening means exploitation requires no special skill once the affected version is installed — and in the context of AIID #1368, where ~17% of ClawHub third-party skills were assessed as malicious, this bug would amplify a compromised skill from passive read to active write. Upgrade to openclaw ≥2026.4.8 immediately.

Sources: GitHub Advisory ATLAS

Risk Assessment

Low immediate risk within the stated local-assistant trust model: no multi-tenant exposure, no CVSS assigned, absent from CISA KEV, no public exploit. The deterministic scope widening (read→write granted automatically through the gateway auth flow) requires no adversarial sophistication — trivial to leverage once the affected version is installed. The 60-CVE history of openclaw elevates concern about systemic privilege and boundary enforcement failures, making this a pattern-level risk signal rather than a purely isolated incident. Risk increases materially if OpenClaw is deployed in contexts beyond its stated single-user trust boundary.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Upgrade openclaw to ≥2026.4.8 (npm) immediately.
Verify the fix by confirming commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5 is present in your installed version.
Audit all gateway plugin HTTP routes for auth: gateway configurations and validate that operator scopes align with actual runtime behavior post-patch.
Pre-patch workaround: disable gateway plugin HTTP routes or restrict them to integrations where downstream write operations carry no material consequence.
Given the 60-CVE package history, perform a broader trust assessment of openclaw before using it in any environment where agent write actions have organizational impact.

Classification

Auth Bypass Supply Chain Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system Article 9 - Risk management system

ISO 42001

A.6.1 - Roles, responsibilities and authorities for AI systems Clause 8.4 - AI system operation — access and privilege control

NIST AI RMF

MANAGE 2.4 - Residual risks and impacted AI risks are monitored and managed MANAGE-2.2 - Mechanisms exist to sustain AI deployment per organizational policies

OWASP LLM Top 10

LLM08 - Excessive Agency LLM08:2025 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents malicious OpenClaw skills exfiltrating credentials via ClawHub, establishing a concrete threat actor interest in abusing OpenClaw's skill and plugin ecosystem. This CVE's read→write scope widening directly amplifies the capability of such malicious skills, expanding their blast radius from passive credential access to active write operations on the victim system.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-4f8g-77mw-3rxc?

OpenClaw's gateway plugin HTTP authentication handler incorrectly elevates operator.read-scoped requests to operator.write at runtime, granting unintended write capabilities to components that declared only read access. While the advisory scopes this to a single-user local assistant with no multi-tenant blast radius and no CVSS score or active exploitation on record, the package has accumulated 60 CVEs — a pattern of systemic security debt that should inform any decision to deploy OpenClaw in an organizational context. No public exploit is available and EPSS data is absent, but the deterministic nature of the scope widening means exploitation requires no special skill once the affected version is installed — and in the context of AIID #1368, where ~17% of ClawHub third-party skills were assessed as malicious, this bug would amplify a compromised skill from passive read to active write. Upgrade to openclaw ≥2026.4.8 immediately.

Is GHSA-4f8g-77mw-3rxc actively exploited?

No confirmed active exploitation of GHSA-4f8g-77mw-3rxc has been reported, but organizations should still patch proactively.

How to fix GHSA-4f8g-77mw-3rxc?

1. Upgrade openclaw to ≥2026.4.8 (npm) immediately. 2. Verify the fix by confirming commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5 is present in your installed version. 3. Audit all gateway plugin HTTP routes for auth: gateway configurations and validate that operator scopes align with actual runtime behavior post-patch. 4. Pre-patch workaround: disable gateway plugin HTTP routes or restrict them to integrations where downstream write operations carry no material consequence. 5. Given the 60-CVE package history, perform a broader trust assessment of openclaw before using it in any environment where agent write actions have organizational impact.

What systems are affected by GHSA-4f8g-77mw-3rxc?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, plugin systems.

What is the CVSS score for GHSA-4f8g-77mw-3rxc?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`. Plugin HTTP routes using gateway auth could receive runtime write scopes even when the upstream trusted-proxy request only declared read. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `2026.1.29` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @smaeljaish771 for reporting.

Exploitation Scenario

A malicious skill installed via ClawHub (threat pattern from AIID #1368) invokes a gateway plugin HTTP route that legitimately declares operator.read scope. Due to the scope widening bug, the OpenClaw runtime silently grants operator.write access. The skill exploits this to perform write operations beyond its declared intent: modifying agent memory or tool configurations, writing files to the local system, altering agent behavioral context, or exfiltrating credentials through write-enabled tool integrations — all without triggering any scope-violation alert since the runtime treats the escalated write as legitimate. The attack requires no special knowledge beyond knowing the affected version is installed.