GHSA-5fc7-f62m-8983 — LOW AI Security Vulnerability

CISO Take

OpenClaw's Feishu docx upload functionality (upload_file/upload_image) fails to enforce workspace-only filesystem restrictions, allowing reads of arbitrary local files — and this is an incomplete fix of a prior vulnerability (GHSA-qf48-qfv4-jjm9), meaning the boundary was already broken once before. While CVSS is unscored and no public exploit exists, local AI agents typically run with broad user-level filesystem access, putting SSH keys, .env files, API tokens, and browser credentials in scope for any user who processed attacker-controlled Feishu documents. The 60 prior CVEs in the openclaw package and AIID #1368 (malicious OpenClaw skills delivering AMOS credential stealers via ClawHub) establish a clear pattern of poor security boundaries in this ecosystem. Patch to 2026.4.8 immediately; if patching is delayed, disable Feishu docx upload features or apply OS-level sandboxing to restrict agent filesystem access.

Sources: GitHub Advisory ATLAS

Risk Assessment

Low CVSS severity, but the scoped severity understates real-world risk for local AI agents. Any workspace policy bypass on an agent with broad filesystem permissions is a credential-exposure event on developer workstations. The incomplete-fix pattern (second attempt to close the same class of bug) signals systemic weakness in boundary enforcement — not an isolated slip. No active exploitation confirmed, no CISA KEV listing, no EPSS data available. Risk escalates significantly if openclaw agents run in environments where sensitive credentials are stored locally, which is nearly universal among developers and security practitioners who are the likely user base.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Patch: Upgrade openclaw to >= 2026.4.8 immediately.
Verify fix: Confirm commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5 is included in the installed version.
Workaround (if patching delayed): Disable Feishu docx upload functionality — block or remove upload_file and upload_image tool access in agent configuration.
Defense-in-depth: Run openclaw under OS-level sandboxing (macOS App Sandbox, Linux seccomp/AppArmor) to enforce filesystem restrictions at the kernel level, independent of application policy.
Audit: If Feishu upload features were used in affected versions, review local file access logs for anomalous reads outside expected workspace directories.

Classification

Data Extraction Privacy Violation Auth Bypass Agent Plugin AML.T0037 - Data from Local System AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration AML.T0086 - Exfiltration via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.2.3 - AI system access control and resource restrictions

NIST AI RMF

GOVERN-1.7 - Processes for AI risk identification and management MS-2.5 - AI system risk monitoring and evaluation

OWASP LLM Top 10

LLM07:2023 - Insecure Plugin Design LLM08 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents malicious OpenClaw skills delivering AMOS credential stealers via ClawHub. This CVE's filesystem boundary bypass in the same package shares the identical attacker objective — credential harvesting from OpenClaw users — and could serve as a complementary or alternative vector to the skills-ecosystem attack path documented in that incident.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-5fc7-f62m-8983?

OpenClaw's Feishu docx upload functionality (upload_file/upload_image) fails to enforce workspace-only filesystem restrictions, allowing reads of arbitrary local files — and this is an incomplete fix of a prior vulnerability (GHSA-qf48-qfv4-jjm9), meaning the boundary was already broken once before. While CVSS is unscored and no public exploit exists, local AI agents typically run with broad user-level filesystem access, putting SSH keys, .env files, API tokens, and browser credentials in scope for any user who processed attacker-controlled Feishu documents. The 60 prior CVEs in the openclaw package and AIID #1368 (malicious OpenClaw skills delivering AMOS credential stealers via ClawHub) establish a clear pattern of poor security boundaries in this ecosystem. Patch to 2026.4.8 immediately; if patching is delayed, disable Feishu docx upload features or apply OS-level sandboxing to restrict agent filesystem access.

Is GHSA-5fc7-f62m-8983 actively exploited?

No confirmed active exploitation of GHSA-5fc7-f62m-8983 has been reported, but organizations should still patch proactively.

How to fix GHSA-5fc7-f62m-8983?

1. Patch: Upgrade openclaw to >= 2026.4.8 immediately. 2. Verify fix: Confirm commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5 is included in the installed version. 3. Workaround (if patching delayed): Disable Feishu docx upload functionality — block or remove upload_file and upload_image tool access in agent configuration. 4. Defense-in-depth: Run openclaw under OS-level sandboxing (macOS App Sandbox, Linux seccomp/AppArmor) to enforce filesystem restrictions at the kernel level, independent of application policy. 5. Audit: If Feishu upload features were used in affected versions, review local file access logs for anomalous reads outside expected workspace directories.

What systems are affected by GHSA-5fc7-f62m-8983?

This vulnerability affects the following AI/ML architecture patterns: local AI agent deployments, agent frameworks with external document integrations, Feishu/Lark collaboration tool integrations.

What is the CVSS score for GHSA-5fc7-f62m-8983?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix). Feishu document uploads could read local files outside the workspace-only file policy when processing docx upload blocks. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.3` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @Rosayxy for reporting.

Exploitation Scenario

An attacker shares a malicious Feishu document with a target OpenClaw user — for example, via a collaboration workspace or phishing link. The docx contains specially crafted upload_file or upload_image blocks referencing arbitrary local paths (e.g., ~/.ssh/id_rsa, .env containing API keys, ~/.aws/credentials). When OpenClaw's agent processes the document and invokes the Feishu upload tool, it reads the referenced local file without enforcing the workspace boundary restriction. The file contents are embedded in the upload request, effectively using OpenClaw as a local file exfiltration proxy that tunnels sensitive data to Feishu's infrastructure — a service the victim likely trusts and does not monitor for data loss.