AI Threat Alert

GHSA-57r2-h2wj-g887: openclaw: trust-label bypass amplifies prompt injection

GHSA-57r2-h2wj-g887 LOW
Published April 25, 2026
CISO Take

OpenClaw's cron agent delivery pipeline failed to propagate `trusted: false` labels when forwarding webhook-triggered isolated agent output to the main session awareness stream, causing adversary-influenced content to render as a trusted `System:` event. While this does not directly bypass gateway auth, tool policy, or sandboxing, it is a meaningful force multiplier in agentic pipelines where prompt injection is already the primary attack surface — collapsing the trust boundary between sandboxed cron sessions and the main agent context. With only 4 downstream dependents, no active exploitation, no public exploit code, and no KEV listing, broad industry exposure is limited today, but any organization running OpenClaw with webhook-connected cron agents ingesting external data faces materially elevated prompt injection risk until patched. Upgrade to `openclaw@2026.4.20` immediately and audit all cron agent webhook configurations for untrusted input sources.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

Low severity per the advisory, and that rating is appropriate given no active exploitation, no EPSS data, no public exploit, and minimal downstream footprint (4 dependents). However, the vulnerability's risk profile is asymmetric: in agentic AI deployments, trust boundary violations are high-value attack enablers rather than standalone exploits. Organizations using OpenClaw in automated pipelines that ingest external or user-controlled data via webhook-triggered cron agents should treat this as moderate operational risk despite the low base severity.

How does the attack unfold?

Content Injection
Adversary submits crafted adversarial instructions to a data source (webhook endpoint, RSS feed, external API) monitored by an OpenClaw webhook-triggered cron agent.
AML.T0051.001
Trust Escalation
Cron agent processes the adversary's payload and forwards output to the main session awareness stream; the pre-patch vulnerability strips the `trusted: false` label, reclassifying untrusted content as a trusted `System:` event.
AML.T0080
Context Poisoning
Main agent session ingests the escalated event as a legitimate system-level instruction, giving adversary-controlled content full system-trust authority over agent behavior for the session.
AML.T0080.001
Impact
Agent executes adversary-directed instructions under system trust — invoking unauthorized tools, exfiltrating session context or credentials, or altering agent behavior in alignment with adversary goals.
AML.T0053

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm < 2026.4.20 2026.4.20
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

5 steps

  1. Upgrade the openclaw npm package to version 2026.4.20 or later — this is the only complete fix.

  2. Until patched, audit all webhook-triggered cron agent configurations and eliminate or gate untrusted external input sources feeding into cron jobs.

  3. If running a pre-patch version, implement application-level validation to explicitly enforce trusted: false on all cron-delivered events in downstream processing.

  4. Monitor agent session logs for unexpected System: events originating from cron delivery paths as an anomaly detection signal.

  5. Apply defense-in-depth by treating all cron agent outputs as untrusted in your agent's tool policy and capability grants, regardless of the trust label reported by the framework.

How is it classified?

Prompt Injection Auth Bypass Agent Framework AML.T0051.001 AML.T0051.002 AML.T0080 AML.T0080.001

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system operation
NIST AI RMF
GOVERN 1.4 - Organizational risk tolerance for AI MANAGE 2.2 - Mechanisms for activating AI risk response
OWASP LLM Top 10
LLM01:2025 - Prompt Injection

Frequently Asked Questions

What is GHSA-57r2-h2wj-g887?

OpenClaw's cron agent delivery pipeline failed to propagate `trusted: false` labels when forwarding webhook-triggered isolated agent output to the main session awareness stream, causing adversary-influenced content to render as a trusted `System:` event. While this does not directly bypass gateway auth, tool policy, or sandboxing, it is a meaningful force multiplier in agentic pipelines where prompt injection is already the primary attack surface — collapsing the trust boundary between sandboxed cron sessions and the main agent context. With only 4 downstream dependents, no active exploitation, no public exploit code, and no KEV listing, broad industry exposure is limited today, but any organization running OpenClaw with webhook-connected cron agents ingesting external data faces materially elevated prompt injection risk until patched. Upgrade to `openclaw@2026.4.20` immediately and audit all cron agent webhook configurations for untrusted input sources.

Is GHSA-57r2-h2wj-g887 actively exploited?

No confirmed active exploitation of GHSA-57r2-h2wj-g887 has been reported, but organizations should still patch proactively.

How to fix GHSA-57r2-h2wj-g887?

1. Upgrade the `openclaw` npm package to version `2026.4.20` or later — this is the only complete fix. 2. Until patched, audit all webhook-triggered cron agent configurations and eliminate or gate untrusted external input sources feeding into cron jobs. 3. If running a pre-patch version, implement application-level validation to explicitly enforce `trusted: false` on all cron-delivered events in downstream processing. 4. Monitor agent session logs for unexpected `System:` events originating from cron delivery paths as an anomaly detection signal. 5. Apply defense-in-depth by treating all cron agent outputs as untrusted in your agent's tool policy and capability grants, regardless of the trust label reported by the framework.

What systems are affected by GHSA-57r2-h2wj-g887?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic pipelines, webhook-triggered automation, cron-based AI agent orchestration.

What is the CVSS score for GHSA-57r2-h2wj-g887?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksagentic pipelineswebhook-triggered automationcron-based AI agent orchestration

MITRE ATLAS Techniques

AML.T0051.001 Indirect
AML.T0051.002 Triggered
AML.T0080 AI Agent Context Poisoning
AML.T0080.001 Thread

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: 6.1.2, 8.4
NIST AI RMF: GOVERN 1.4, MANAGE 2.2
OWASP LLM Top 10: LLM01:2025

What are the technical details?

Original Advisory

## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Output from webhook-triggered isolated cron agent runs could be queued into the main session awareness stream without `trusted: false`. That made the event render as a trusted `System:` event instead of an untrusted system event. This is a trust-labeling issue that can strengthen prompt-injection impact, but it does not directly bypass gateway auth, tool policy, or sandboxing. Severity is low. ## Fix OpenClaw now preserves untrusted labels for isolated cron awareness events and forwards the trust flag through cron delivery helpers. Fix commit: - `f61896b03cc7031f51106a04566831f4ac2a0bd7` ## Release Fixed in OpenClaw `2026.4.20`.

Exploitation Scenario

An adversary with influence over content processed by a webhook-connected OpenClaw cron agent — for example, by submitting a crafted payload to a monitored RSS feed, webhook endpoint, or external API the cron job polls — embeds adversarial prompt instructions in the content. When the cron agent processes the content and forwards its output to the main session awareness stream, the pre-patch behavior strips the `trusted: false` label. The main agent session receives the adversary's instructions rendered as a trusted `System:` event with full system-authority, causing the agent to treat injected commands as legitimate system directives. This enables indirect prompt injection with elevated trust, potentially causing the agent to invoke unauthorized tools, exfiltrate session context or tool credentials, modify its operational behavior, or persist injected instructions across future turns.

Weaknesses (CWE)

CWE-345 Insufficient Verification of Data Authenticity Primary

CWE-345 — Insufficient Verification of Data Authenticity: The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Source: MITRE CWE corpus.

References

Timeline

Published
April 25, 2026
Last Modified
April 25, 2026
First Seen
April 26, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33579 9.9

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-32922 9.9

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-32038 9.8

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
Back to Threat Feed