GHSA-5gjc-grvm-m88j: OpenClaw auth bypass enables

CISO Take

A write-scoped operator credential in openclaw could reach the `/dreaming` gateway endpoint and toggle persistent memory dreaming settings — a configuration class that should require admin-level access — due to missing privilege boundary enforcement (CWE-863, CWE-266). For CISOs running agentic AI pipelines, this means any compromised or over-permissioned operator token can silently alter how the agent retains memory across sessions, with effects that persist beyond individual interactions. No CVSS score, EPSS data, or CISA KEV listing exists, and with only 4 downstream dependents, broad blast radius is limited — however, openclaw carries 135 prior CVEs in the same package, signaling systemic authorization debt that warrants elevated scrutiny. Upgrade to openclaw >= 2026.4.10 immediately, audit operator-scoped tokens for unnecessary write permissions, and monitor gateway logs for unexpected requests to `/dreaming` from non-admin principals.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium-severity privilege escalation within an AI agent framework's configuration plane. No public exploit, no KEV listing, and no EPSS data reduce immediate exploitation urgency. However, the vulnerability class — operators bypassing admin-class controls via a missing scope check — is trivially exploitable given valid operator credentials, which are a common attack target via phishing or supply chain compromise. The 135 existing CVEs in the package suggest a pattern of security debt rather than an isolated defect, elevating systemic risk for organizations building on openclaw.

How does the attack unfold?

Credential Acquisition

Attacker obtains a valid operator.write-scoped token through phishing, a compromised CI/CD secret, or an over-permissioned service account.

AML.T0012

Privilege Escalation via API

Attacker sends a crafted request to the `/dreaming` gateway endpoint using the operator credential; the missing scope check accepts the request as if it were admin-authorized.

AML.T0049

Persistent Config Mutation

Memory dreaming settings are toggled and persist across all future agent sessions, altering the agent's memory retention behavior without admin awareness.

AML.T0081

Cross-Session Data Harvesting

With dreaming enabled, the agent retains context across user sessions, allowing the attacker to query accumulated conversation history or behavioral state from subsequent interactions.

AML.T0080.000

Credential Acquisition

Attacker obtains a valid operator.write-scoped token through phishing, a compromised CI/CD secret, or an over-permissioned service account.

AML.T0012

Privilege Escalation via API

Attacker sends a crafted request to the `/dreaming` gateway endpoint using the operator credential; the missing scope check accepts the request as if it were admin-authorized.

AML.T0049

Persistent Config Mutation

Memory dreaming settings are toggled and persist across all future agent sessions, altering the agent's memory retention behavior without admin awareness.

AML.T0081

Cross-Session Data Harvesting

With dreaming enabled, the agent retains context across user sessions, allowing the attacker to query accumulated conversation history or behavioral state from subsequent interactions.

AML.T0080.000

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	>= 2026.4.5, < 2026.4.10	`2026.4.10`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade openclaw to >= 2026.4.10 (latest stable: 2026.4.14) — this is the only complete fix.
Immediately audit all operator.write-scoped API tokens and revoke any that do not require write access.
Search API gateway logs for POST/PUT requests to /dreaming from non-admin credentials in the affected version window (2026.4.5–2026.4.9).
Add WAF rules or API gateway policy to block access to /dreaming from operator-class tokens as a defense-in-depth control.
Review openclaw upgrade cadence — 135 CVEs in this package warrants evaluating whether it meets your organization's vendor security posture requirements.

How is it classified?

Auth Bypass Privacy Violation Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0080.000 - Memory AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2 - Access control for AI systems

NIST AI RMF

GOVERN 1.7 - Processes for AI risk identification and management

OWASP LLM Top 10

LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is GHSA-5gjc-grvm-m88j?

A write-scoped operator credential in openclaw could reach the `/dreaming` gateway endpoint and toggle persistent memory dreaming settings — a configuration class that should require admin-level access — due to missing privilege boundary enforcement (CWE-863, CWE-266). For CISOs running agentic AI pipelines, this means any compromised or over-permissioned operator token can silently alter how the agent retains memory across sessions, with effects that persist beyond individual interactions. No CVSS score, EPSS data, or CISA KEV listing exists, and with only 4 downstream dependents, broad blast radius is limited — however, openclaw carries 135 prior CVEs in the same package, signaling systemic authorization debt that warrants elevated scrutiny. Upgrade to openclaw >= 2026.4.10 immediately, audit operator-scoped tokens for unnecessary write permissions, and monitor gateway logs for unexpected requests to `/dreaming` from non-admin principals.

Is GHSA-5gjc-grvm-m88j actively exploited?

No confirmed active exploitation of GHSA-5gjc-grvm-m88j has been reported, but organizations should still patch proactively.

How to fix GHSA-5gjc-grvm-m88j?

1. Upgrade openclaw to >= 2026.4.10 (latest stable: 2026.4.14) — this is the only complete fix. 2. Immediately audit all operator.write-scoped API tokens and revoke any that do not require write access. 3. Search API gateway logs for POST/PUT requests to `/dreaming` from non-admin credentials in the affected version window (2026.4.5–2026.4.9). 4. Add WAF rules or API gateway policy to block access to `/dreaming` from operator-class tokens as a defense-in-depth control. 5. Review openclaw upgrade cadence — 135 CVEs in this package warrants evaluating whether it meets your organization's vendor security posture requirements.

What systems are affected by GHSA-5gjc-grvm-m88j?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI memory systems, agentic pipelines, multi-tenant agent deployments.

What is the CVSS score for GHSA-5gjc-grvm-m88j?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI memory systemsagentic pipelinesmulti-tenant agent deployments

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0080.000 Memory

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2

NIST AI RMF: GOVERN 1.7

OWASP LLM Top 10: LLM08:2025

What are the technical details?

Original Advisory

## Summary Memory dreaming config persistence was reachable from operator.write commands. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.4.5 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact A write-scoped gateway path could toggle persistent memory dreaming settings through `/dreaming`, crossing into an admin-class configuration mutation. ## Technical Details The fix requires admin scope for persistent dreaming gateway toggles. ## Fix The issue was fixed in #63872. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `6af17b39e11f5f35e23b7e5a5f71a7d0aa3c7310` - PR: #63872 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zpbrent and @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An attacker who has obtained a valid operator.write token — through a compromised CI/CD pipeline secret, a phished developer credential, or an over-permissioned service account — sends a crafted request to the openclaw `/dreaming` endpoint on a vulnerable version. Because the access check incorrectly allows operator scope where admin scope is required, the request succeeds and persistently enables memory dreaming across all future agent sessions. The attacker can now use the agent's retained cross-session memory to harvest context from subsequent user interactions, or disable memory retention to cover prior malicious activity, all without triggering admin-level audit controls.

Weaknesses (CWE)

CWE-266 Incorrect Privilege Assignment Primary CWE-863 Incorrect Authorization Primary

CWE-266 — Incorrect Privilege Assignment: A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design, Operation] Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Source: MITRE CWE corpus.