GHSA-4p4f-fc8q-84m3: openclaw: iOS bridge bypass enables unauthorized agent runs

GHSA-4p4f-fc8q-84m3 MEDIUM
Published April 7, 2026
CISO Take

OpenClaw's iOS A2UI bridge incorrectly trusted generic local-network and tailnet pages as authorized origins, allowing any attacker-controlled page reachable on the same network to dispatch agent.request calls without the required trusted-canvas origin check. While not in CISA KEV and carrying no public EPSS data, the attack requires only local-network adjacency — a realistic position in shared offices, developer VPNs, or corporate WiFi — making exploitation near-trivial for any network-adjacent attacker. Demonstrated impact is bounded to session state pollution and API budget consumption with no path to owner-only actions or host code execution, but budget exhaustion can disrupt agent-dependent workflows and adversary-influenced session state may corrupt subsequent agent behavior. Upgrade to openclaw >= 2026.4.2 immediately; no patch-equivalent workaround exists.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium risk, with exploitation complexity lowered to near-trivial once network adjacency is achieved. The A2UI bridge accepted any local-network host as a trusted origin — no credentials, no user interaction beyond loading a page. Impact ceiling is bounded (no RCE, no privilege escalation to owner actions), which keeps this out of critical territory. However, the 37 prior CVEs in the same package signal a historically security-immature codebase warranting elevated scrutiny of all OpenClaw deployments. No public exploits or scanner templates exist as of advisory publication, and CISA has not added this to KEV.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm <= 2026.4.1 2026.4.2
4 dependents 41% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

5 steps
  1. Upgrade openclaw to >= 2026.4.2 immediately (fix: commit 49d08382 restricts A2UI action dispatch to trusted canvas URLs only).

  2. Until patched, isolate iOS OpenClaw instances to strictly controlled network segments where untrusted hosts cannot reach the device.

  3. Review and restrict tailnet/VPN membership to devices running OpenClaw on iOS.

  4. Monitor agent session logs for unexpected agent.request activity or anomalous API budget consumption patterns.

  5. Audit any prior sessions conducted on shared or untrusted networks (guest WiFi, conference networks, shared VPNs) for signs of state pollution or budget anomalies.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
A.9.2 - User access management
NIST AI RMF
MANAGE-2.2 - Risk response — treatment of identified AI risks
OWASP LLM Top 10
LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is GHSA-4p4f-fc8q-84m3?

OpenClaw's iOS A2UI bridge incorrectly trusted generic local-network and tailnet pages as authorized origins, allowing any attacker-controlled page reachable on the same network to dispatch agent.request calls without the required trusted-canvas origin check. While not in CISA KEV and carrying no public EPSS data, the attack requires only local-network adjacency — a realistic position in shared offices, developer VPNs, or corporate WiFi — making exploitation near-trivial for any network-adjacent attacker. Demonstrated impact is bounded to session state pollution and API budget consumption with no path to owner-only actions or host code execution, but budget exhaustion can disrupt agent-dependent workflows and adversary-influenced session state may corrupt subsequent agent behavior. Upgrade to openclaw >= 2026.4.2 immediately; no patch-equivalent workaround exists.

Is GHSA-4p4f-fc8q-84m3 actively exploited?

No confirmed active exploitation of GHSA-4p4f-fc8q-84m3 has been reported, but organizations should still patch proactively.

How to fix GHSA-4p4f-fc8q-84m3?

1. Upgrade openclaw to >= 2026.4.2 immediately (fix: commit 49d08382 restricts A2UI action dispatch to trusted canvas URLs only). 2. Until patched, isolate iOS OpenClaw instances to strictly controlled network segments where untrusted hosts cannot reach the device. 3. Review and restrict tailnet/VPN membership to devices running OpenClaw on iOS. 4. Monitor agent session logs for unexpected agent.request activity or anomalous API budget consumption patterns. 5. Audit any prior sessions conducted on shared or untrusted networks (guest WiFi, conference networks, shared VPNs) for signs of state pollution or budget anomalies.

What systems are affected by GHSA-4p4f-fc8q-84m3?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, iOS AI agent deployments, local network AI bridge integrations.

What is the CVSS score for GHSA-4p4f-fc8q-84m3?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksiOS AI agent deploymentslocal network AI bridge integrations

MITRE ATLAS Techniques

AML.T0034.002 Agentic Resource Consumption
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0080 AI Agent Context Poisoning

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.9.2
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM08:2025

What are the technical details?

Original Advisory

## Summary Before OpenClaw 2026.4.2, the iOS A2UI bridge treated generic local-network pages as trusted bridge origins. A page loaded from a local-network or tailnet host could trigger agent.request dispatch without the stricter trusted-canvas origin check. ## Impact A loaded attacker-controlled page could inject unauthorized non-owner agent.request runs into the active iOS node session, polluting session state and consuming budget. The demonstrated impact did not include owner-only actions or arbitrary host execution. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.1 - Patched versions: >= 2026.4.2 - Latest published npm version: 2026.4.1 ## Fix Commit(s) 49d08382a90f71dabe2877b3f6729ad85f808d57 — restrict A2UI action dispatch to trusted canvas URLs ## Release Process Note The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live. Thanks [@nexrin](https://github.com/nexrin) for reporting.

Exploitation Scenario

An attacker on the same WiFi network, corporate LAN, or VPN tailnet as a developer running OpenClaw on iOS stands up a local web server hosting a malicious page. They deliver the URL via a phishing message, poisoned local DNS record, or network-level injection. When OpenClaw's iOS A2UI bridge loads the page, the pre-patch origin check incorrectly accepts it as a valid trusted bridge origin. The malicious page then calls agent.request with adversary-crafted parameters, injecting unauthorized instructions into the active agent session — corrupting its working state for subsequent tasks and draining the victim's API budget — all without requiring any credentials, user consent, or elevated privileges.

Weaknesses (CWE)

CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

  • [Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

Timeline

Published
April 7, 2026
Last Modified
April 7, 2026
First Seen
April 7, 2026

Related Vulnerabilities