GHSA-5h3f-885m-v22w — MEDIUM AI Security Vulnerability

Q: Is GHSA-5h3f-885m-v22w actively exploited?

No confirmed active exploitation of GHSA-5h3f-885m-v22w has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-5h3f-885m-v22w?

1. Upgrade openclaw to 2026.4.8 (patched). 2. Restart the OpenClaw service post-upgrade to force termination of all pre-existing WebSocket sessions — do not rely on token rotation alone. 3. Monitor network traffic for unexpected persistent WebSocket connections to the OpenClaw gateway. 4. Audit installed ClawHub skills for malicious indicators (see AIID #1368). 5. If compromise is suspected, rotate all credentials accessible by the agent (API keys, OAuth tokens, local secrets) and review agent action logs for unauthorized activity.

Q: What systems are affected by GHSA-5h3f-885m-v22w?

This vulnerability affects the following AI/ML architecture patterns: local AI agent deployments, agent frameworks.

Q: What is the CVSS score for GHSA-5h3f-885m-v22w?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's shared gateway token rotation fails to terminate existing WebSocket sessions, meaning an attacker who has already obtained session access retains it indefinitely even after the victim executes what should be a standard incident response action. Local AI agents like OpenClaw routinely have access to filesystem, code execution tools, and stored credentials — so a persistent unauthorized session is a meaningful foothold, not a cosmetic flaw. Context compounds the concern: this package carries 60 prior CVEs and is associated with a documented malicious skills ecosystem (AIID #1368, Feb 2026) where ~17% of third-party skills were assessed as malicious — suggesting the attacker pathway to obtaining an initial session is already well-trodden. Upgrade to openclaw 2026.4.8 immediately and restart the service to force-terminate all existing WebSocket sessions post-upgrade.

Sources: GitHub Advisory ATLAS AIID

Risk Assessment

Medium severity in isolation, but elevated when considered against the deployment context of a local AI agent with broad system access. Token rotation is a core incident response control — its failure converts a recoverable credential compromise into a persistent access problem. No CVSS vector or EPSS data is available, no public exploit exists, and the local trust model limits blast radius. However, 60 prior CVEs in this package indicate systemic security debt, and the malicious skills ecosystem provides a realistic attacker pathway to initial session establishment, after which this vulnerability extends attacker dwell time past standard remediation.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Upgrade openclaw to 2026.4.8 (patched).
Restart the OpenClaw service post-upgrade to force termination of all pre-existing WebSocket sessions — do not rely on token rotation alone.
Monitor network traffic for unexpected persistent WebSocket connections to the OpenClaw gateway.
Audit installed ClawHub skills for malicious indicators (see AIID #1368).
If compromise is suspected, rotate all credentials accessible by the agent (API keys, OAuth tokens, local secrets) and review agent action logs for unauthorized activity.

Classification

Auth Bypass Agent AML.T0012 - Valid Accounts AML.T0091.000 - Application Access Token AML.T0112.000 - Local AI Agent

Compliance Impact

This CVE is relevant to:

ISO 42001

A.10.1 - AI System Security Controls

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain and monitor AI systems

OWASP LLM Top 10

LLM06 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents malicious OpenClaw skills distributing credential stealers via ClawHub — a realistic attacker pathway to obtaining the initial gateway session that this CVE then allows to persist indefinitely after token rotation. The two vulnerabilities are complementary in the same attack chain.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-5h3f-885m-v22w?

OpenClaw's shared gateway token rotation fails to terminate existing WebSocket sessions, meaning an attacker who has already obtained session access retains it indefinitely even after the victim executes what should be a standard incident response action. Local AI agents like OpenClaw routinely have access to filesystem, code execution tools, and stored credentials — so a persistent unauthorized session is a meaningful foothold, not a cosmetic flaw. Context compounds the concern: this package carries 60 prior CVEs and is associated with a documented malicious skills ecosystem (AIID #1368, Feb 2026) where ~17% of third-party skills were assessed as malicious — suggesting the attacker pathway to obtaining an initial session is already well-trodden. Upgrade to openclaw 2026.4.8 immediately and restart the service to force-terminate all existing WebSocket sessions post-upgrade.

Is GHSA-5h3f-885m-v22w actively exploited?

No confirmed active exploitation of GHSA-5h3f-885m-v22w has been reported, but organizations should still patch proactively.

How to fix GHSA-5h3f-885m-v22w?

1. Upgrade openclaw to 2026.4.8 (patched). 2. Restart the OpenClaw service post-upgrade to force termination of all pre-existing WebSocket sessions — do not rely on token rotation alone. 3. Monitor network traffic for unexpected persistent WebSocket connections to the OpenClaw gateway. 4. Audit installed ClawHub skills for malicious indicators (see AIID #1368). 5. If compromise is suspected, rotate all credentials accessible by the agent (API keys, OAuth tokens, local secrets) and review agent action logs for unauthorized activity.

What systems are affected by GHSA-5h3f-885m-v22w?

This vulnerability affects the following AI/ML architecture patterns: local AI agent deployments, agent frameworks.

What is the CVSS score for GHSA-5h3f-885m-v22w?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact Existing WS sessions survive shared gateway token rotation. Rotating the shared gateway token did not disconnect existing shared-token WebSocket sessions. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.

Exploitation Scenario

An attacker compromises the OpenClaw shared gateway token via a malicious ClawHub skill (per AIID #1368 patterns), credential theft, or local access. They establish a WebSocket session before the victim detects the breach. The victim discovers the compromise and rotates the gateway token as the standard remediation step. Under versions <= 2026.4.1, the attacker's existing session remains fully authenticated and active — the rotation has no effect on live sessions. The attacker retains persistent command-and-control over the local AI agent, its tools, and accessible resources indefinitely until the service is restarted or the session is explicitly killed.