GHSA-7jm2-g593-4qrc: OpenClaw config guard bypass,

Q: Is GHSA-7jm2-g593-4qrc actively exploited?

No confirmed active exploitation of GHSA-7jm2-g593-4qrc has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-7jm2-g593-4qrc?

1. Upgrade openclaw to version 2026.4.20 — this is the only complete fix; the release patches config.patch/config.apply guards across the full operator-trusted path set including per-agent overrides and array-entry patching. 2. If immediate upgrade is blocked, restrict model-level access to the gateway config tool as an emergency workaround. 3. Audit current gateway configuration for unauthorized modifications, specifically targeting sandbox_policy, ssrf_policy, plugin_enabled, mcp_servers, filesystem_hardening, and hook_routing fields. 4. Implement prompt injection detection at model input boundaries — apply content filtering on all external data sources before agent ingestion. 5. Enable audit logging on all config.patch and config.apply invocations and alert on model-initiated calls to operator-trusted paths. 6. Apply least-privilege to agent tool scopes: block model access to owner-only tools unless explicitly required by the deployment.

Q: What systems are affected by GHSA-7jm2-g593-4qrc?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI gateway infrastructure, MCP server deployments, agentic pipelines with tool access, plugin-enabled AI platforms.

Q: What is the CVSS score for GHSA-7jm2-g593-4qrc?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's gateway failed to enforce authorization checks on a broad set of operator-trusted configuration paths, allowing a prompt-injected model with access to the owner-only gateway tool to persistently modify sandbox policies, plugin enablement, MCP server configuration, SSRF controls, auth/TLS parameters, and filesystem hardening. While this is not a remote unauthenticated attack — it requires prior prompt injection as a precondition — the blast radius is substantial: successful exploitation systematically dismantles multiple defense layers across agent infrastructure in a single operation. With 135 CVEs already recorded against the openclaw package and no public exploit currently available, this is a targeted but material risk for any organization running AI agent frameworks on OpenClaw. Upgrade to version 2026.4.20 immediately and audit gateway configuration logs for unexpected config.patch or config.apply invocations originating from model-driven calls.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium risk overall, but elevated for organizations deploying OpenClaw in environments where agents process untrusted external content. Exploitation requires two conditions: successful prompt injection into the model and model-level access to the owner-only gateway tool. The absence of a public exploit and only 4 downstream dependents keeps this below critical threshold. However, the consequence of successful exploitation is disproportionately severe relative to CVSS — an attacker can systematically erode sandbox isolation, SSRF defenses, and filesystem hardening in a single config mutation, creating a persistent foundation for escalation well beyond the initial medium-severity finding. The 135 CVEs in this package signal a pattern of incomplete security boundary enforcement that warrants elevated scrutiny.

How does the attack unfold?

Prompt Injection

Adversary embeds malicious instructions in external content ingested by the OpenClaw agent — a document, webpage, or tool API response — triggering indirect prompt injection.

AML.T0051.001

Tool Invocation

Prompt-injected model invokes the owner-only gateway config.patch or config.apply tool, which the insufficient authorization guard fails to block for operator-trusted setting paths.

AML.T0053

Config Guard Bypass

The pre-patch guard's incomplete path coverage allows the model to mutate sandbox policy, SSRF policy, MCP server config, plugin enablement, and filesystem hardening settings persistently.

AML.T0081

Persistent Misconfiguration

Weakened sandbox isolation and disabled SSRF/filesystem controls provide an attacker-controlled foothold for follow-on attacks — credential exfiltration, internal network access, or backdoor via modified MCP endpoints.

AML.T0107

Prompt Injection

Adversary embeds malicious instructions in external content ingested by the OpenClaw agent — a document, webpage, or tool API response — triggering indirect prompt injection.

AML.T0051.001

Tool Invocation

Prompt-injected model invokes the owner-only gateway config.patch or config.apply tool, which the insufficient authorization guard fails to block for operator-trusted setting paths.

AML.T0053

Config Guard Bypass

The pre-patch guard's incomplete path coverage allows the model to mutate sandbox policy, SSRF policy, MCP server config, plugin enablement, and filesystem hardening settings persistently.

AML.T0081

Persistent Misconfiguration

Weakened sandbox isolation and disabled SSRF/filesystem controls provide an attacker-controlled foothold for follow-on attacks — credential exfiltration, internal network access, or backdoor via modified MCP endpoints.

AML.T0107

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.20	`2026.4.20`
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

Upgrade openclaw to version 2026.4.20 — this is the only complete fix; the release patches config.patch/config.apply guards across the full operator-trusted path set including per-agent overrides and array-entry patching.
If immediate upgrade is blocked, restrict model-level access to the gateway config tool as an emergency workaround.
Audit current gateway configuration for unauthorized modifications, specifically targeting sandbox_policy, ssrf_policy, plugin_enabled, mcp_servers, filesystem_hardening, and hook_routing fields.
Implement prompt injection detection at model input boundaries — apply content filtering on all external data sources before agent ingestion.
Enable audit logging on all config.patch and config.apply invocations and alert on model-initiated calls to operator-trusted paths.
Apply least-privilege to agent tool scopes: block model access to owner-only tools unless explicitly required by the deployment.

How is it classified?

Prompt Injection Auth Bypass Agent Framework Plugin AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system deployment

NIST AI RMF

GOVERN-1.1 - Policies and processes for AI risk management

OWASP LLM Top 10

LLM01:2025 - Prompt Injection LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is GHSA-7jm2-g593-4qrc?

OpenClaw's gateway failed to enforce authorization checks on a broad set of operator-trusted configuration paths, allowing a prompt-injected model with access to the owner-only gateway tool to persistently modify sandbox policies, plugin enablement, MCP server configuration, SSRF controls, auth/TLS parameters, and filesystem hardening. While this is not a remote unauthenticated attack — it requires prior prompt injection as a precondition — the blast radius is substantial: successful exploitation systematically dismantles multiple defense layers across agent infrastructure in a single operation. With 135 CVEs already recorded against the openclaw package and no public exploit currently available, this is a targeted but material risk for any organization running AI agent frameworks on OpenClaw. Upgrade to version 2026.4.20 immediately and audit gateway configuration logs for unexpected config.patch or config.apply invocations originating from model-driven calls.

Is GHSA-7jm2-g593-4qrc actively exploited?

No confirmed active exploitation of GHSA-7jm2-g593-4qrc has been reported, but organizations should still patch proactively.

How to fix GHSA-7jm2-g593-4qrc?

1. Upgrade openclaw to version 2026.4.20 — this is the only complete fix; the release patches config.patch/config.apply guards across the full operator-trusted path set including per-agent overrides and array-entry patching. 2. If immediate upgrade is blocked, restrict model-level access to the gateway config tool as an emergency workaround. 3. Audit current gateway configuration for unauthorized modifications, specifically targeting sandbox_policy, ssrf_policy, plugin_enabled, mcp_servers, filesystem_hardening, and hook_routing fields. 4. Implement prompt injection detection at model input boundaries — apply content filtering on all external data sources before agent ingestion. 5. Enable audit logging on all config.patch and config.apply invocations and alert on model-initiated calls to operator-trusted paths. 6. Apply least-privilege to agent tool scopes: block model access to owner-only tools unless explicitly required by the deployment.

What systems are affected by GHSA-7jm2-g593-4qrc?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI gateway infrastructure, MCP server deployments, agentic pipelines with tool access, plugin-enabled AI platforms.

What is the CVSS score for GHSA-7jm2-g593-4qrc?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI gateway infrastructureMCP server deploymentsagentic pipelines with tool accessplugin-enabled AI platforms

MITRE ATLAS Techniques

AML.T0051.001 Indirect

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 8.4

NIST AI RMF: GOVERN-1.1

OWASP LLM Top 10: LLM01:2025, LLM06:2025

What are the technical details?

Original Advisory

## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact The agent-facing `gateway config.patch` / `config.apply` guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool could persist changes to those settings. This is a model-to-operator guard bypass, not a remote unauthenticated gateway compromise. Severity is medium. ## Fix OpenClaw now blocks model-driven gateway config mutations for the broader operator-trusted path set and covers per-agent overrides and array-entry patching. Fix commit: - `fe30b31a97a917ecc6e92f6c85378b6b20352422` ## Release Fixed in OpenClaw `2026.4.20`.

Exploitation Scenario

An attacker plants a prompt injection payload in content the OpenClaw agent is tasked with processing — for example, a malicious document, a compromised tool API response, or adversary-controlled webpage content. The injected instructions direct the model to invoke the owner-only gateway config.patch tool targeting settings not covered by the pre-patch guard: first disabling sandbox_policy to break process isolation, then modifying ssrf_policy to permit requests to internal infrastructure. Because the guard bypass allows these mutations to persist, a subsequent session finds the agent operating in a weakened security posture. The attacker then uses the disabled SSRF controls to probe internal services and the removed filesystem hardening to read sensitive configuration files, ultimately exfiltrating credentials or establishing a persistent backdoor through a modified MCP server endpoint.

Weaknesses (CWE)

CWE-1220 Insufficient Granularity of Access Control Primary CWE-285 Improper Authorization Primary

CWE-1220 — Insufficient Granularity of Access Control: The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

[Architecture and Design, Implementation, Testing] Access-control-policy protections must be reviewed for design inconsistency and common weaknesses. Access-control-policy definition and programming flow must be tested in pre-silicon, post-silicon testing.

Source: MITRE CWE corpus.