GHSA-68x5-xx89-w9mm — MEDIUM AI Security Vulnerability

Q: Is GHSA-68x5-xx89-w9mm actively exploited?

No confirmed active exploitation of GHSA-68x5-xx89-w9mm has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-68x5-xx89-w9mm?

1. Upgrade openclaw (npm) to version 2026.4.8, which contains the verified fix at commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. 2. Until patched, replace all config reload operations with a full process restart to ensure the resolvedAuth closure is reinitialized with the current config. 3. Audit gateway connection logs for sessions established in the window immediately following any config reload event — flag any that persist under credentials or permissions that were changed by that reload. 4. If openclaw is deployed in any shared or multi-user context despite the advisory's local-assistant scope, escalate urgency to high and patch immediately. 5. Review the fix commit to validate that your deployment pattern falls within the tested security boundary and regression tests cover your use case.

Q: What systems are affected by GHSA-68x5-xx89-w9mm?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI agents.

Q: What is the CVSS score for GHSA-68x5-xx89-w9mm?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's gateway authentication relies on a resolvedAuth closure that is not refreshed after a configuration reload, meaning all new gateway connections established post-reload inherit the pre-reload authentication state rather than the updated one. In any scenario where a config reload was intended to enforce tighter access — revoking credentials, restricting permissions, or blocking a user — those changes simply do not take effect for new connections until a full process restart. While the advisory explicitly scopes this to OpenClaw's local assistant trust model rather than multi-tenant deployments, organizations running OpenClaw as part of agentic workflows with real tool access boundaries should treat stale auth state in an agent gateway as a privilege boundary failure. Upgrade to 2026.4.8 immediately; the only effective workaround prior to patching is performing a full process restart rather than a config reload whenever authentication configuration changes.

Sources: GitHub Advisory ATLAS

Risk Assessment

Overall risk is medium and contextually constrained. The vulnerability requires a config reload event to be triggered, limiting opportunistic exploitation to a specific operational window. The advisory's explicit scoping to a local assistant trust model significantly narrows blast radius compared to a cloud gateway or multi-tenant service. No EPSS data is available, no CISA KEV listing exists, and no public exploit has been released, all of which reduce immediate exploitation likelihood. However, the openclaw package carries 60 historical CVEs — a pattern that warrants scrutiny of the overall security posture. The principal risk is in organizations that have deployed openclaw as an agent gateway fronting sensitive tools or services, where a config reload was expected to immediately enforce revoked access but silently failed to do so.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Upgrade openclaw (npm) to version 2026.4.8, which contains the verified fix at commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
Until patched, replace all config reload operations with a full process restart to ensure the resolvedAuth closure is reinitialized with the current config.
Audit gateway connection logs for sessions established in the window immediately following any config reload event — flag any that persist under credentials or permissions that were changed by that reload.
If openclaw is deployed in any shared or multi-user context despite the advisory's local-assistant scope, escalate urgency to high and patch immediately.
Review the fix commit to validate that your deployment pattern falls within the tested security boundary and regression tests cover your use case.

Classification

Auth Bypass Agent AML.T0012 - Valid Accounts AML.T0081 - Modify AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Compliance Impact

This CVE is relevant to:

ISO 42001

A.6.2 - Access control

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain oversight and control of AI systems

OWASP LLM Top 10

LLM08 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 describes credential exfiltration via malicious OpenClaw skills in the same package ecosystem. A stale auth closure bug in OpenClaw's gateway is materially related: in post-compromise scenarios where operators revoke access via config reload, this vulnerability would allow the attacker's session to persist under the old auth state — the same failure mode of auth controls not being enforced in OpenClaw.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-68x5-xx89-w9mm?

OpenClaw's gateway authentication relies on a resolvedAuth closure that is not refreshed after a configuration reload, meaning all new gateway connections established post-reload inherit the pre-reload authentication state rather than the updated one. In any scenario where a config reload was intended to enforce tighter access — revoking credentials, restricting permissions, or blocking a user — those changes simply do not take effect for new connections until a full process restart. While the advisory explicitly scopes this to OpenClaw's local assistant trust model rather than multi-tenant deployments, organizations running OpenClaw as part of agentic workflows with real tool access boundaries should treat stale auth state in an agent gateway as a privilege boundary failure. Upgrade to 2026.4.8 immediately; the only effective workaround prior to patching is performing a full process restart rather than a config reload whenever authentication configuration changes.

Is GHSA-68x5-xx89-w9mm actively exploited?

No confirmed active exploitation of GHSA-68x5-xx89-w9mm has been reported, but organizations should still patch proactively.

How to fix GHSA-68x5-xx89-w9mm?

1. Upgrade openclaw (npm) to version 2026.4.8, which contains the verified fix at commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. 2. Until patched, replace all config reload operations with a full process restart to ensure the resolvedAuth closure is reinitialized with the current config. 3. Audit gateway connection logs for sessions established in the window immediately following any config reload event — flag any that persist under credentials or permissions that were changed by that reload. 4. If openclaw is deployed in any shared or multi-user context despite the advisory's local-assistant scope, escalate urgency to high and patch immediately. 5. Review the fix commit to validate that your deployment pattern falls within the tested security boundary and regression tests cover your use case.

What systems are affected by GHSA-68x5-xx89-w9mm?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI agents.

What is the CVSS score for GHSA-68x5-xx89-w9mm?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact resolvedAuth closure becomes stale after config reload. After a config reload, newly accepted gateway connections could continue using stale resolved auth state. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.

Exploitation Scenario

An attacker with local access or a compromised account waits for or triggers an OpenClaw config reload — for example, by knowing that the operator routinely reloads config during routine maintenance, or by social engineering the operator into applying a config change. Immediately after the reload, the attacker establishes a new gateway connection. Because the resolvedAuth closure was not refreshed, the connection is evaluated against the pre-reload auth state, which may include credentials or permissions that the config change was intended to revoke. The attacker now operates under the old, more permissive auth context, maintaining access to downstream tools, APIs, or local resources that should have been blocked. This is particularly damaging in incident response scenarios where the operator believed revoking access via config reload was sufficient to contain a compromise.