GHSA-67mf-f936-ppxf: OpenClaw: scope misconfiguration enables unauthorized node pairing
GHSA-67mf-f936-ppxf MEDIUMOpenClaw's node pairing approval method (`node.pair.approve`) was incorrectly gated by the broad `operator.write` scope instead of the narrower `operator.pairing` scope with admin enforcement, meaning any operator with write access could approve exec-capable node connections they were never authorized to control. While this CVE carries a medium rating with no public exploit and no CISA KEV inclusion, the risk context is materially worse than the score suggests: OpenClaw has accumulated 60 CVEs in the same package, and AIID #1368 documents that its skill ecosystem was actively weaponized in February 2026 to deliver AMOS credential stealer — making any privilege boundary failure in this agent a compounding concern. Upgrade to openclaw 2026.4.8 immediately and audit all operators holding `operator.write` scope for unauthorized node pairings that may have been approved before the patch.
What is the risk?
Medium risk with elevated contextual concern. The vulnerability is trivially exploitable by any operator with write access — no special tooling or AI knowledge required — but the attack surface is bounded by OpenClaw's local trust model (no multi-tenant boundary). The primary amplifying factor is the package's security track record: 60 CVEs and a documented malware delivery incident via its ecosystem (AIID #1368) suggest inadequate security discipline in this codebase. Organizations running OpenClaw in environments where multiple operators share access should treat this as higher-priority than the CVSS alone implies.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | < 2026.4.8 | 2026.4.8 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Upgrade to openclaw 2026.4.8 (commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5) immediately.
-
Audit all existing node pairings: review which nodes were approved and by which operator accounts prior to patching — revoke any pairings that lack a legitimate business justification.
-
Apply principle of least privilege to operator scopes: review all accounts holding
operator.writeand remove that scope whereoperator.reador narrower scopes suffice. -
Monitor agent execution logs for anomalous node-initiated actions in the post-patching window.
-
Given the package's 60-CVE history, evaluate whether openclaw is a justified dependency in your environment or whether a more actively maintained alternative exists.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-67mf-f936-ppxf?
OpenClaw's node pairing approval method (`node.pair.approve`) was incorrectly gated by the broad `operator.write` scope instead of the narrower `operator.pairing` scope with admin enforcement, meaning any operator with write access could approve exec-capable node connections they were never authorized to control. While this CVE carries a medium rating with no public exploit and no CISA KEV inclusion, the risk context is materially worse than the score suggests: OpenClaw has accumulated 60 CVEs in the same package, and AIID #1368 documents that its skill ecosystem was actively weaponized in February 2026 to deliver AMOS credential stealer — making any privilege boundary failure in this agent a compounding concern. Upgrade to openclaw 2026.4.8 immediately and audit all operators holding `operator.write` scope for unauthorized node pairings that may have been approved before the patch.
Is GHSA-67mf-f936-ppxf actively exploited?
No confirmed active exploitation of GHSA-67mf-f936-ppxf has been reported, but organizations should still patch proactively.
How to fix GHSA-67mf-f936-ppxf?
1. Upgrade to openclaw 2026.4.8 (commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5) immediately. 2. Audit all existing node pairings: review which nodes were approved and by which operator accounts prior to patching — revoke any pairings that lack a legitimate business justification. 3. Apply principle of least privilege to operator scopes: review all accounts holding `operator.write` and remove that scope where `operator.read` or narrower scopes suffice. 4. Monitor agent execution logs for anomalous node-initiated actions in the post-patching window. 5. Given the package's 60-CVE history, evaluate whether openclaw is a justified dependency in your environment or whether a more actively maintained alternative exists.
What systems are affected by GHSA-67mf-f936-ppxf?
This vulnerability affects the following AI/ML architecture patterns: local AI agents, agent frameworks, AI developer tooling.
What is the CVSS score for GHSA-67mf-f936-ppxf?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.005 AI Agent Tool AML.T0012 Valid Accounts AML.T0053 AI Agent Tool Invocation AML.T0081 Modify AI Agent Configuration AML.T0112.000 Local AI Agent Compliance Controls Affected
What are the technical details?
Original Advisory
## Impact OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval. The pairing approval method accepted operator.write instead of the narrower pairing scope and admin requirement for exec-capable nodes. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= v2026.04.01` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @nicky-cc of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting.
Exploitation Scenario
An attacker who has compromised or created an operator account with `operator.write` scope (a common permission for automation integrations) calls `node.pair.approve` against an exec-capable node they control. Under the correct scope model this would be denied — only `operator.pairing` with admin rights should authorize exec-capable pairings. Under the vulnerable version, the write-scoped token is accepted and the node is paired. The attacker's node now operates as a trusted execution endpoint within OpenClaw's agent trust model, enabling arbitrary command execution under the agent's local privilege context. This is particularly relevant given AIID #1368, where OpenClaw's skill ecosystem was abused to deliver credential stealers — a paired malicious node could replicate that delivery vector without requiring a malicious skill package.
Weaknesses (CWE)
CWE-269 — Improper Privilege Management: The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
- [Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
- [Architecture and Design] Follow the principle of least privilege when assigning access rights to entities in a software system.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw