GHSA-4p4f-fc8q-84m3: openclaw: iOS bridge bypass enables unauthorized agent runs
GHSA-4p4f-fc8q-84m3 MEDIUMOpenClaw's iOS A2UI bridge incorrectly trusted generic local-network and tailnet pages as authorized origins, allowing any attacker-controlled page reachable on the same network to dispatch agent.request calls without the required trusted-canvas origin check. While not in CISA KEV and carrying no public EPSS data, the attack requires only local-network adjacency — a realistic position in shared offices, developer VPNs, or corporate WiFi — making exploitation near-trivial for any network-adjacent attacker. Demonstrated impact is bounded to session state pollution and API budget consumption with no path to owner-only actions or host code execution, but budget exhaustion can disrupt agent-dependent workflows and adversary-influenced session state may corrupt subsequent agent behavior. Upgrade to openclaw >= 2026.4.2 immediately; no patch-equivalent workaround exists.
What is the risk?
Medium risk, with exploitation complexity lowered to near-trivial once network adjacency is achieved. The A2UI bridge accepted any local-network host as a trusted origin — no credentials, no user interaction beyond loading a page. Impact ceiling is bounded (no RCE, no privilege escalation to owner actions), which keeps this out of critical territory. However, the 37 prior CVEs in the same package signal a historically security-immature codebase warranting elevated scrutiny of all OpenClaw deployments. No public exploits or scanner templates exist as of advisory publication, and CISA has not added this to KEV.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | <= 2026.4.1 | 2026.4.2 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Upgrade openclaw to >= 2026.4.2 immediately (fix: commit 49d08382 restricts A2UI action dispatch to trusted canvas URLs only).
-
Until patched, isolate iOS OpenClaw instances to strictly controlled network segments where untrusted hosts cannot reach the device.
-
Review and restrict tailnet/VPN membership to devices running OpenClaw on iOS.
-
Monitor agent session logs for unexpected agent.request activity or anomalous API budget consumption patterns.
-
Audit any prior sessions conducted on shared or untrusted networks (guest WiFi, conference networks, shared VPNs) for signs of state pollution or budget anomalies.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-4p4f-fc8q-84m3?
OpenClaw's iOS A2UI bridge incorrectly trusted generic local-network and tailnet pages as authorized origins, allowing any attacker-controlled page reachable on the same network to dispatch agent.request calls without the required trusted-canvas origin check. While not in CISA KEV and carrying no public EPSS data, the attack requires only local-network adjacency — a realistic position in shared offices, developer VPNs, or corporate WiFi — making exploitation near-trivial for any network-adjacent attacker. Demonstrated impact is bounded to session state pollution and API budget consumption with no path to owner-only actions or host code execution, but budget exhaustion can disrupt agent-dependent workflows and adversary-influenced session state may corrupt subsequent agent behavior. Upgrade to openclaw >= 2026.4.2 immediately; no patch-equivalent workaround exists.
Is GHSA-4p4f-fc8q-84m3 actively exploited?
No confirmed active exploitation of GHSA-4p4f-fc8q-84m3 has been reported, but organizations should still patch proactively.
How to fix GHSA-4p4f-fc8q-84m3?
1. Upgrade openclaw to >= 2026.4.2 immediately (fix: commit 49d08382 restricts A2UI action dispatch to trusted canvas URLs only). 2. Until patched, isolate iOS OpenClaw instances to strictly controlled network segments where untrusted hosts cannot reach the device. 3. Review and restrict tailnet/VPN membership to devices running OpenClaw on iOS. 4. Monitor agent session logs for unexpected agent.request activity or anomalous API budget consumption patterns. 5. Audit any prior sessions conducted on shared or untrusted networks (guest WiFi, conference networks, shared VPNs) for signs of state pollution or budget anomalies.
What systems are affected by GHSA-4p4f-fc8q-84m3?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, iOS AI agent deployments, local network AI bridge integrations.
What is the CVSS score for GHSA-4p4f-fc8q-84m3?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0034.002 Agentic Resource Consumption AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation AML.T0080 AI Agent Context Poisoning Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary Before OpenClaw 2026.4.2, the iOS A2UI bridge treated generic local-network pages as trusted bridge origins. A page loaded from a local-network or tailnet host could trigger agent.request dispatch without the stricter trusted-canvas origin check. ## Impact A loaded attacker-controlled page could inject unauthorized non-owner agent.request runs into the active iOS node session, polluting session state and consuming budget. The demonstrated impact did not include owner-only actions or arbitrary host execution. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.1 - Patched versions: >= 2026.4.2 - Latest published npm version: 2026.4.1 ## Fix Commit(s) 49d08382a90f71dabe2877b3f6729ad85f808d57 — restrict A2UI action dispatch to trusted canvas URLs ## Release Process Note The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live. Thanks [@nexrin](https://github.com/nexrin) for reporting.
Exploitation Scenario
An attacker on the same WiFi network, corporate LAN, or VPN tailnet as a developer running OpenClaw on iOS stands up a local web server hosting a malicious page. They deliver the URL via a phishing message, poisoned local DNS record, or network-level injection. When OpenClaw's iOS A2UI bridge loads the page, the pre-patch origin check incorrectly accepts it as a valid trusted bridge origin. The malicious page then calls agent.request with adversary-crafted parameters, injecting unauthorized instructions into the active agent session — corrupting its working state for subsequent tasks and draining the victim's API budget — all without requiring any credentials, user consent, or elevated privileges.
Weaknesses (CWE)
CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
- [Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
- [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw