GHSA-4p4f-fc8q-84m3: openclaw: iOS bridge bypass enables unauthorized agent runs

Published April 7, 2026

CISO Take

OpenClaw's iOS A2UI bridge incorrectly trusted generic local-network and tailnet pages as authorized origins, allowing any attacker-controlled page reachable on the same network to dispatch agent.request calls without the required trusted-canvas origin check. While not in CISA KEV and carrying no public EPSS data, the attack requires only local-network adjacency — a realistic position in shared offices, developer VPNs, or corporate WiFi — making exploitation near-trivial for any network-adjacent attacker. Demonstrated impact is bounded to session state pollution and API budget consumption with no path to owner-only actions or host code execution, but budget exhaustion can disrupt agent-dependent workflows and adversary-influenced session state may corrupt subsequent agent behavior. Upgrade to openclaw >= 2026.4.2 immediately; no patch-equivalent workaround exists.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium risk, with exploitation complexity lowered to near-trivial once network adjacency is achieved. The A2UI bridge accepted any local-network host as a trusted origin — no credentials, no user interaction beyond loading a page. Impact ceiling is bounded (no RCE, no privilege escalation to owner actions), which keeps this out of critical territory. However, the 37 prior CVEs in the same package signal a historically security-immature codebase warranting elevated scrutiny of all OpenClaw deployments. No public exploits or scanner templates exist as of advisory publication, and CISA has not added this to KEV.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	<= 2026.4.1	`2026.4.2`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Upgrade openclaw to >= 2026.4.2 immediately (fix: commit 49d08382 restricts A2UI action dispatch to trusted canvas URLs only).
Until patched, isolate iOS OpenClaw instances to strictly controlled network segments where untrusted hosts cannot reach the device.
Review and restrict tailnet/VPN membership to devices running OpenClaw on iOS.
Monitor agent session logs for unexpected agent.request activity or anomalous API budget consumption patterns.
Audit any prior sessions conducted on shared or untrusted networks (guest WiFi, conference networks, shared VPNs) for signs of state pollution or budget anomalies.

Classification

Auth Bypass DoS Agent AML.T0034.002 - Agentic Resource Consumption AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.9.2 - User access management

NIST AI RMF

MANAGE-2.2 - Risk response — treatment of identified AI risks

OWASP LLM Top 10

LLM08:2025 - Excessive Agency

Technical Details

NVD Description

## Summary Before OpenClaw 2026.4.2, the iOS A2UI bridge treated generic local-network pages as trusted bridge origins. A page loaded from a local-network or tailnet host could trigger agent.request dispatch without the stricter trusted-canvas origin check. ## Impact A loaded attacker-controlled page could inject unauthorized non-owner agent.request runs into the active iOS node session, polluting session state and consuming budget. The demonstrated impact did not include owner-only actions or arbitrary host execution. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.1 - Patched versions: >= 2026.4.2 - Latest published npm version: 2026.4.1 ## Fix Commit(s) 49d08382a90f71dabe2877b3f6729ad85f808d57 — restrict A2UI action dispatch to trusted canvas URLs ## Release Process Note The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live. Thanks [@nexrin](https://github.com/nexrin) for reporting.

Exploitation Scenario

An attacker on the same WiFi network, corporate LAN, or VPN tailnet as a developer running OpenClaw on iOS stands up a local web server hosting a malicious page. They deliver the URL via a phishing message, poisoned local DNS record, or network-level injection. When OpenClaw's iOS A2UI bridge loads the page, the pre-patch origin check incorrectly accepts it as a valid trusted bridge origin. The malicious page then calls agent.request with adversary-crafted parameters, injecting unauthorized instructions into the active agent session — corrupting its working state for subsequent tasks and draining the victim's API budget — all without requiring any credentials, user consent, or elevated privileges.