GHSA-7jp6-r74r-995q: OpenClaw auth bypass lets

Q: Is GHSA-7jp6-r74r-995q actively exploited?

No confirmed active exploitation of GHSA-7jp6-r74r-995q has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-7jp6-r74r-995q?

1. Upgrade openclaw to v2026.4.10 or later (v2026.4.14 recommended as latest stable). 2. Audit existing Matrix profile configurations for unauthorized modifications — compare against last known-good baseline. 3. Review access logs for operator.write message-tool calls to profile persistence endpoints prior to the patch date (2026-04-10). 4. If immediate patching is not possible, restrict operator.write access to trusted principals only and monitor for anomalous profile mutation activity. 5. Given 135 CVEs in this package, conduct a broader risk assessment on continued reliance on openclaw in production agent pipelines.

Q: What systems are affected by GHSA-7jp6-r74r-995q?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent orchestration, multi-user AI agent gateways.

Q: What is the CVSS score for GHSA-7jp6-r74r-995q?

No CVSS score has been assigned yet.

CISO Take

openclaw's gateway incorrectly allows operator.write message-tool callers to reach Matrix profile persistence endpoints that require admin authority, effectively granting privilege escalation to any write-scoped principal. With 135 CVEs in the same package and 4 downstream dependents, this represents a systemic security hygiene problem in the openclaw ecosystem rather than an isolated incident — teams relying on openclaw for AI agent orchestration should treat the package's vulnerability history as a serious risk signal. No public exploit exists, EPSS data is unavailable, and the vulnerability is not in CISA KEV, but the authorization boundary failure is straightforward to exploit by any authenticated operator with write access. Upgrade to openclaw 2026.4.10 or later (v2026.4.14 is the current stable release containing the fix).

Sources: GitHub Advisory ATLAS

What is the risk?

HIGH severity authorization bypass with a clear exploitation path for any operator-level principal. Mitigating factors: no public exploit, not in KEV, limited downstream dependents (4). Aggravating factors: 135 CVEs in the same package indicates chronic security debt; AI agent frameworks controlling persistent configuration represent high-value targets since admin config mutation can alter agent behavior across all sessions and users.

How does the attack unfold?

Initial Access

Attacker acquires operator.write credentials to an openclaw agent gateway via account compromise, insider access, or through a poisoned skill in the openclaw ecosystem.

AML.T0012

Exploitation

Attacker crafts message-tool API calls targeting Matrix profile persistence endpoints, bypassing the admin-level authorization gate that was missing on write-scoped paths.

AML.T0053

Persistence

Attacker mutates persistent Matrix profile configuration, injecting malicious tool definitions, system prompt overrides, or backdoor config entries that survive session termination.

AML.T0081

Impact

Modified profile configuration persists across all future sessions, altering AI agent behavior for every user, enabling ongoing data exfiltration, agent manipulation, or lateral movement.

AML.T0080

Initial Access

Attacker acquires operator.write credentials to an openclaw agent gateway via account compromise, insider access, or through a poisoned skill in the openclaw ecosystem.

AML.T0012

Exploitation

Attacker crafts message-tool API calls targeting Matrix profile persistence endpoints, bypassing the admin-level authorization gate that was missing on write-scoped paths.

AML.T0053

Persistence

Attacker mutates persistent Matrix profile configuration, injecting malicious tool definitions, system prompt overrides, or backdoor config entries that survive session termination.

AML.T0081

Impact

Modified profile configuration persists across all future sessions, altering AI agent behavior for every user, enabling ongoing data exfiltration, agent manipulation, or lateral movement.

AML.T0080

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.10	`2026.4.10`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Upgrade openclaw to v2026.4.10 or later (v2026.4.14 recommended as latest stable).
Audit existing Matrix profile configurations for unauthorized modifications — compare against last known-good baseline.
Review access logs for operator.write message-tool calls to profile persistence endpoints prior to the patch date (2026-04-10).
If immediate patching is not possible, restrict operator.write access to trusted principals only and monitor for anomalous profile mutation activity.
Given 135 CVEs in this package, conduct a broader risk assessment on continued reliance on openclaw in production agent pipelines.

How is it classified?

Auth Bypass Data Leakage Agent Framework AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.1 - Policies for AI system security

NIST AI RMF

GOVERN-6.2 - Policies and procedures address AI risks

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-7jp6-r74r-995q?

openclaw's gateway incorrectly allows operator.write message-tool callers to reach Matrix profile persistence endpoints that require admin authority, effectively granting privilege escalation to any write-scoped principal. With 135 CVEs in the same package and 4 downstream dependents, this represents a systemic security hygiene problem in the openclaw ecosystem rather than an isolated incident — teams relying on openclaw for AI agent orchestration should treat the package's vulnerability history as a serious risk signal. No public exploit exists, EPSS data is unavailable, and the vulnerability is not in CISA KEV, but the authorization boundary failure is straightforward to exploit by any authenticated operator with write access. Upgrade to openclaw 2026.4.10 or later (v2026.4.14 is the current stable release containing the fix).

Is GHSA-7jp6-r74r-995q actively exploited?

No confirmed active exploitation of GHSA-7jp6-r74r-995q has been reported, but organizations should still patch proactively.

How to fix GHSA-7jp6-r74r-995q?

1. Upgrade openclaw to v2026.4.10 or later (v2026.4.14 recommended as latest stable). 2. Audit existing Matrix profile configurations for unauthorized modifications — compare against last known-good baseline. 3. Review access logs for operator.write message-tool calls to profile persistence endpoints prior to the patch date (2026-04-10). 4. If immediate patching is not possible, restrict operator.write access to trusted principals only and monitor for anomalous profile mutation activity. 5. Given 135 CVEs in this package, conduct a broader risk assessment on continued reliance on openclaw in production agent pipelines.

What systems are affected by GHSA-7jp6-r74r-995q?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent orchestration, multi-user AI agent gateways.

What is the CVSS score for GHSA-7jp6-r74r-995q?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI agent orchestrationmulti-user AI agent gateways

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1

NIST AI RMF: GOVERN-6.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

## Summary Matrix profile config persistence was reachable from operator.write message tools. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Gateway `operator.write` message-tool paths could reach Matrix profile persistence that should have required admin-level authority. ## Technical Details The fix gates Matrix profile updates for non-owner message-tool runs and prevents write-scoped callers from mutating persistent profile config. ## Fix The issue was fixed in #62662. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `fe0f686c9228fffcec6de4011da45e69a6e23e54` - PR: #62662 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zpbrent and @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An attacker with legitimate operator.write access to an openclaw-powered AI agent gateway — via a compromised developer account, a malicious internal user, or a backdoored skill in the openclaw ecosystem — crafts message-tool API calls targeting Matrix profile persistence endpoints. Because the write-scoped path bypasses the admin-level authorization gate, the attacker successfully mutates persistent profile configuration. This could be used to alter the agent's effective system prompt, inject malicious tool definitions, or create backdoor configuration entries that persist across sessions and affect every user interacting with that agent profile.

Weaknesses (CWE)

CWE-266 Incorrect Privilege Assignment Primary CWE-863 Incorrect Authorization Primary

CWE-266 — Incorrect Privilege Assignment: A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design, Operation] Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Source: MITRE CWE corpus.