GHSA-5wj5-87vq-39xm — HIGH AI Security Vulnerability

Q: Is GHSA-5wj5-87vq-39xm actively exploited?

No confirmed active exploitation of GHSA-5wj5-87vq-39xm has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-5wj5-87vq-39xm?

1. Patch openclaw to version 2026.4.8 immediately — this is the only complete fix. 2. Audit pairing logs for all nodes: identify any reconnections that occurred post-initial-pairing, especially those that subsequently invoked exec-level commands. 3. Revoke and force re-pair all currently paired nodes after patching to eliminate any nodes that may have already escalated. 4. Until patched, restrict network access to openclaw instances so only explicitly trusted hosts can initiate reconnections. 5. Review installed skills against the ClawHub abuse patterns documented in AIID #1368 — malicious skills may have exploited this bypass. 6. Enable command execution logging at the OS level to detect anomalous exec patterns from the openclaw process.

Q: What systems are affected by GHSA-5wj5-87vq-39xm?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI assistants, multi-node AI pipelines.

Q: What is the CVSS score for GHSA-5wj5-87vq-39xm?

No CVSS score has been assigned yet.

CISO Take

A previously paired node in OpenClaw can reconnect with an expanded command set — including exec-capable commands — without triggering the mandatory operator/admin re-pairing flow, effectively bypassing the scope enforcement that gates privileged operations. This authentication bypass (CWE-288) turns any compromised or rogue node with historical pairing credentials into a lateral movement vector with arbitrary execution capability inside the local assistant's trust boundary. OpenClaw already carries 60 CVEs in the same package, and AIID #1368 documents an active malicious skill distribution campaign on the same platform that exfiltrated credentials, meaning threat actors already have demonstrated tooling against this ecosystem. Patch to 2026.4.8 immediately; audit all paired node histories and revoke/re-pair any node whose pairing predates this fix.

Sources: GitHub Advisory ATLAS

Risk Assessment

High risk for teams deploying openclaw in AI agent pipelines or as a local assistant with multi-node architectures. The bypass requires only a previously paired node — a low bar in environments where pairing is routine — and immediately yields exec-level command access. No EPSS or KEV data is available, but the combination of a documented attacker ecosystem (AIID #1368), CWE-288 class exploitability, and command execution impact elevates this beyond a typical authentication weakness. The local trust model boundary limits internet-wide exposure but does not reduce risk for targeted environments.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Patch openclaw to version 2026.4.8 immediately — this is the only complete fix.
Audit pairing logs for all nodes: identify any reconnections that occurred post-initial-pairing, especially those that subsequently invoked exec-level commands.
Revoke and force re-pair all currently paired nodes after patching to eliminate any nodes that may have already escalated.
Until patched, restrict network access to openclaw instances so only explicitly trusted hosts can initiate reconnections.
Review installed skills against the ClawHub abuse patterns documented in AIID #1368 — malicious skills may have exploited this bypass.
Enable command execution logging at the OS level to detect anomalous exec patterns from the openclaw process.

Classification

Auth Bypass Code Execution Agent Plugin AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0112.000 - Local AI Agent

Compliance Impact

This CVE is relevant to:

ISO 42001

A.6.2 - AI System Risk Controls

NIST AI RMF

GOVERN 6.1 - Policies and Procedures for AI Risk Management

OWASP LLM Top 10

LLM06 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors high confidence

AIID #1368 documents active exploitation of the OpenClaw skills ecosystem to deliver credential-stealing malware (AMOS stealer) — the same platform and trust model affected by this CVE. A malicious skill that had been paired with a victim's OpenClaw instance could exploit this auth bypass on reconnect to gain exec-level access, directly enabling the credential exfiltration failure mode documented in the incident.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-5wj5-87vq-39xm?

A previously paired node in OpenClaw can reconnect with an expanded command set — including exec-capable commands — without triggering the mandatory operator/admin re-pairing flow, effectively bypassing the scope enforcement that gates privileged operations. This authentication bypass (CWE-288) turns any compromised or rogue node with historical pairing credentials into a lateral movement vector with arbitrary execution capability inside the local assistant's trust boundary. OpenClaw already carries 60 CVEs in the same package, and AIID #1368 documents an active malicious skill distribution campaign on the same platform that exfiltrated credentials, meaning threat actors already have demonstrated tooling against this ecosystem. Patch to 2026.4.8 immediately; audit all paired node histories and revoke/re-pair any node whose pairing predates this fix.

Is GHSA-5wj5-87vq-39xm actively exploited?

No confirmed active exploitation of GHSA-5wj5-87vq-39xm has been reported, but organizations should still patch proactively.

How to fix GHSA-5wj5-87vq-39xm?

1. Patch openclaw to version 2026.4.8 immediately — this is the only complete fix. 2. Audit pairing logs for all nodes: identify any reconnections that occurred post-initial-pairing, especially those that subsequently invoked exec-level commands. 3. Revoke and force re-pair all currently paired nodes after patching to eliminate any nodes that may have already escalated. 4. Until patched, restrict network access to openclaw instances so only explicitly trusted hosts can initiate reconnections. 5. Review installed skills against the ClawHub abuse patterns documented in AIID #1368 — malicious skills may have exploited this bypass. 6. Enable command execution logging at the OS level to detect anomalous exec patterns from the openclaw process.

What systems are affected by GHSA-5wj5-87vq-39xm?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI assistants, multi-node AI pipelines.

What is the CVSS score for GHSA-5wj5-87vq-39xm?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement. A previously paired node could reconnect with a broader command set, including exec-capable commands, without forcing the operator/admin re-pairing path. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.5` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @zsxsoft and @KeenSecurityLab for reporting.

Exploitation Scenario

An attacker who has compromised a peripheral device previously paired to an OpenClaw local assistant (e.g., via a malicious skill as documented in AIID #1368) initiates a reconnect from that device. The unpatched reconnect handler issues an expanded command set without verifying operator/admin scope, granting the attacker exec-capable commands. The attacker then uses these commands to enumerate the host filesystem, extract stored credentials or API keys from the local assistant's configuration, and establish persistence — all within the legitimate communication channel of the trusted pairing. This attack requires no user interaction after the initial compromise of a paired node.