GHSA-67mf-f936-ppxf — MEDIUM

Q: Is GHSA-67mf-f936-ppxf actively exploited?

No confirmed active exploitation of GHSA-67mf-f936-ppxf has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-67mf-f936-ppxf?

1. Upgrade to openclaw 2026.4.8 (commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5) immediately. 2. Audit all existing node pairings: review which nodes were approved and by which operator accounts prior to patching — revoke any pairings that lack a legitimate business justification. 3. Apply principle of least privilege to operator scopes: review all accounts holding `operator.write` and remove that scope where `operator.read` or narrower scopes suffice. 4. Monitor agent execution logs for anomalous node-initiated actions in the post-patching window. 5. Given the package's 60-CVE history, evaluate whether openclaw is a justified dependency in your environment or whether a more actively maintained alternative exists.

Q: What systems are affected by GHSA-67mf-f936-ppxf?

This vulnerability affects the following AI/ML architecture patterns: local AI agents, agent frameworks, AI developer tooling.

Q: What is the CVSS score for GHSA-67mf-f936-ppxf?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's node pairing approval method (`node.pair.approve`) was incorrectly gated by the broad `operator.write` scope instead of the narrower `operator.pairing` scope with admin enforcement, meaning any operator with write access could approve exec-capable node connections they were never authorized to control. While this CVE carries a medium rating with no public exploit and no CISA KEV inclusion, the risk context is materially worse than the score suggests: OpenClaw has accumulated 60 CVEs in the same package, and AIID #1368 documents that its skill ecosystem was actively weaponized in February 2026 to deliver AMOS credential stealer — making any privilege boundary failure in this agent a compounding concern. Upgrade to openclaw 2026.4.8 immediately and audit all operators holding `operator.write` scope for unauthorized node pairings that may have been approved before the patch.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium risk with elevated contextual concern. The vulnerability is trivially exploitable by any operator with write access — no special tooling or AI knowledge required — but the attack surface is bounded by OpenClaw's local trust model (no multi-tenant boundary). The primary amplifying factor is the package's security track record: 60 CVEs and a documented malware delivery incident via its ecosystem (AIID #1368) suggest inadequate security discipline in this codebase. Organizations running OpenClaw in environments where multiple operators share access should treat this as higher-priority than the CVSS alone implies.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`
4 dependents 91% patched ~0d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade to openclaw 2026.4.8 (commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5) immediately.
Audit all existing node pairings: review which nodes were approved and by which operator accounts prior to patching — revoke any pairings that lack a legitimate business justification.
Apply principle of least privilege to operator scopes: review all accounts holding operator.write and remove that scope where operator.read or narrower scopes suffice.
Monitor agent execution logs for anomalous node-initiated actions in the post-patching window.
Given the package's 60-CVE history, evaluate whether openclaw is a justified dependency in your environment or whether a more actively maintained alternative exists.

Classification

Auth Bypass Supply Chain Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0112.000 - Local AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2 - AI system access control A.8.2 - AI System Design

NIST AI RMF

GOVERN 1.1 - Policies and procedures for AI risk management GOVERN 1.7 - Processes for Identifying AI Risks

OWASP LLM Top 10

LLM06 - Excessive Agency LLM08 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents malicious actors weaponizing OpenClaw's skill ecosystem to deliver AMOS credential stealer — the same package and agent execution surface exposed by this CVE. Unauthorized exec-capable node pairing enabled by this privilege flaw could serve as an alternative delivery vector for the same class of malware-via-agent-execution attack documented in the incident.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-67mf-f936-ppxf?

OpenClaw's node pairing approval method (`node.pair.approve`) was incorrectly gated by the broad `operator.write` scope instead of the narrower `operator.pairing` scope with admin enforcement, meaning any operator with write access could approve exec-capable node connections they were never authorized to control. While this CVE carries a medium rating with no public exploit and no CISA KEV inclusion, the risk context is materially worse than the score suggests: OpenClaw has accumulated 60 CVEs in the same package, and AIID #1368 documents that its skill ecosystem was actively weaponized in February 2026 to deliver AMOS credential stealer — making any privilege boundary failure in this agent a compounding concern. Upgrade to openclaw 2026.4.8 immediately and audit all operators holding `operator.write` scope for unauthorized node pairings that may have been approved before the patch.

Is GHSA-67mf-f936-ppxf actively exploited?

No confirmed active exploitation of GHSA-67mf-f936-ppxf has been reported, but organizations should still patch proactively.

How to fix GHSA-67mf-f936-ppxf?

1. Upgrade to openclaw 2026.4.8 (commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5) immediately. 2. Audit all existing node pairings: review which nodes were approved and by which operator accounts prior to patching — revoke any pairings that lack a legitimate business justification. 3. Apply principle of least privilege to operator scopes: review all accounts holding `operator.write` and remove that scope where `operator.read` or narrower scopes suffice. 4. Monitor agent execution logs for anomalous node-initiated actions in the post-patching window. 5. Given the package's 60-CVE history, evaluate whether openclaw is a justified dependency in your environment or whether a more actively maintained alternative exists.

What systems are affected by GHSA-67mf-f936-ppxf?

This vulnerability affects the following AI/ML architecture patterns: local AI agents, agent frameworks, AI developer tooling.

What is the CVSS score for GHSA-67mf-f936-ppxf?

No CVSS score has been assigned yet.

AI Security Impact

Affected AI Architectures

local AI agentsagent frameworksAI developer tooling

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0012 Valid Accounts

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2, A.8.2

NIST AI RMF: GOVERN 1.1, GOVERN 1.7

OWASP LLM Top 10: LLM06, LLM08

Technical Details

Original Advisory

## Impact OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval. The pairing approval method accepted operator.write instead of the narrower pairing scope and admin requirement for exec-capable nodes. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= v2026.04.01` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @nicky-cc of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting.

Exploitation Scenario

An attacker who has compromised or created an operator account with `operator.write` scope (a common permission for automation integrations) calls `node.pair.approve` against an exec-capable node they control. Under the correct scope model this would be denied — only `operator.pairing` with admin rights should authorize exec-capable pairings. Under the vulnerable version, the write-scoped token is accepted and the node is paired. The attacker's node now operates as a trusted execution endpoint within OpenClaw's agent trust model, enabling arbitrary command execution under the agent's local privilege context. This is particularly relevant given AIID #1368, where OpenClaw's skill ecosystem was abused to deliver credential stealers — a paired malicious node could replicate that delivery vector without requiring a malicious skill package.