GHSA-82qx-6vj7-p8m2: OpenClaw trust bypass loads

Q: Is GHSA-82qx-6vj7-p8m2 actively exploited?

No confirmed active exploitation of GHSA-82qx-6vj7-p8m2 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-82qx-6vj7-p8m2?

1. Upgrade to openclaw 2026.4.10 or newer — version 2026.4.14 is the current stable release and includes the fix routing setup catalog lookups through trusted paths with `excludeWorkspace: true`. 2. Audit all workspace plugin directories for files that shadow bundled channel plugins; remove or quarantine any unexpected entries. 3. Restrict write access to workspace plugin paths to trusted principals only, using filesystem ACLs or equivalent controls. 4. Review agent setup logs prior to patching for evidence of unexpected plugin loads from workspace paths. 5. In high-security or multi-tenant environments, consider disabling workspace plugin resolution entirely until all instances are patched and audited.

Q: What systems are affected by GHSA-82qx-6vj7-p8m2?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent tool pipelines, multi-tenant agent deployments, plugin-based agent systems.

Q: What is the CVSS score for GHSA-82qx-6vj7-p8m2?

No CVSS score has been assigned yet.

CISO Take

The openclaw npm package contained a trust boundary failure where workspace plugin shadows could be resolved before bundled, authorized channel plugins during setup — effectively allowing untrusted code to execute before any authorization gate was applied. With 135 prior CVEs in this package and a directly linked real-world incident (AIID #1368) in which Bitdefender found approximately 17% of OpenClaw skills were malicious and delivering credential stealers (AMOS stealer), this trust bypass is not theoretical: the OpenClaw plugin ecosystem is actively abused and this vulnerability hands attackers a privileged entry point at setup time. No public exploit or CISA KEV entry exists, but the moderate exploitation barrier — requiring only write access to a workspace plugin directory — combined with the severity of setup-time code execution makes this a meaningful risk for any organization running openclaw in shared or multi-user environments. Upgrade all instances to openclaw 2026.4.10 or newer (2026.4.14 is current) and audit workspace plugin directories for unexpected shadows immediately.

Sources: GitHub Advisory ATLAS

What is the risk?

High severity with moderate exploitability. The attacker must control or influence the workspace plugin directory — achievable via compromised developer credentials, a supply chain attack on workspace dependencies, or in shared team environments where multiple contributors have plugin write access. The exploit window is early in the agent lifecycle (setup time), before security controls are fully active, and the absence of the trust check means there is no runtime defense to compensate for the vulnerable resolution logic. The 135 prior CVEs in this package and an active malicious skill ecosystem (AIID #1368) elevate practical risk well beyond what the missing CVSS score alone would indicate.

How does the attack unfold?

Workspace Access

Adversary obtains write access to the target's workspace plugin directory via compromised developer credentials, a malicious npm dependency, or a shared team environment.

AML.T0012

Plugin Shadow Placement

Adversary places a crafted malicious plugin in the workspace path that shadows a legitimate bundled channel plugin, exploiting the unguarded resolution order in openclaw's setup catalog.

AML.T0110

Trust Gate Bypass

During channel setup, openclaw resolves the workspace shadow before the bundled plugin and loads it without applying the intended authorization check, allowing untrusted code to execute at setup time.

AML.T0010.005

Payload Execution

The malicious plugin runs arbitrary code in the agent's runtime context, enabling credential theft, API key exfiltration, data leakage, or persistence within the AI agent environment.

AML.T0053

Workspace Access

Adversary obtains write access to the target's workspace plugin directory via compromised developer credentials, a malicious npm dependency, or a shared team environment.

AML.T0012

Plugin Shadow Placement

Adversary places a crafted malicious plugin in the workspace path that shadows a legitimate bundled channel plugin, exploiting the unguarded resolution order in openclaw's setup catalog.

AML.T0110

Trust Gate Bypass

During channel setup, openclaw resolves the workspace shadow before the bundled plugin and loads it without applying the intended authorization check, allowing untrusted code to execute at setup time.

AML.T0010.005

Payload Execution

The malicious plugin runs arbitrary code in the agent's runtime context, enabling credential theft, API key exfiltration, data leakage, or persistence within the AI agent environment.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.10	`2026.4.10`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Upgrade to openclaw 2026.4.10 or newer — version 2026.4.14 is the current stable release and includes the fix routing setup catalog lookups through trusted paths with excludeWorkspace: true.
Audit all workspace plugin directories for files that shadow bundled channel plugins; remove or quarantine any unexpected entries.
Restrict write access to workspace plugin paths to trusted principals only, using filesystem ACLs or equivalent controls.
Review agent setup logs prior to patching for evidence of unexpected plugin loads from workspace paths.
In high-security or multi-tenant environments, consider disabling workspace plugin resolution entirely until all instances are patched and audited.

How is it classified?

Supply Chain Auth Bypass Code Execution Agent Plugin Framework AML.T0010.005 - AI Agent Tool AML.T0011.002 - Poisoned AI Agent Tool AML.T0081 - Modify AI Agent Configuration AML.T0110 - AI Agent Tool Poisoning

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

8.4 - AI system supply chain

NIST AI RMF

GOVERN 6.1 - AI supply chain risk management

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is GHSA-82qx-6vj7-p8m2?

The openclaw npm package contained a trust boundary failure where workspace plugin shadows could be resolved before bundled, authorized channel plugins during setup — effectively allowing untrusted code to execute before any authorization gate was applied. With 135 prior CVEs in this package and a directly linked real-world incident (AIID #1368) in which Bitdefender found approximately 17% of OpenClaw skills were malicious and delivering credential stealers (AMOS stealer), this trust bypass is not theoretical: the OpenClaw plugin ecosystem is actively abused and this vulnerability hands attackers a privileged entry point at setup time. No public exploit or CISA KEV entry exists, but the moderate exploitation barrier — requiring only write access to a workspace plugin directory — combined with the severity of setup-time code execution makes this a meaningful risk for any organization running openclaw in shared or multi-user environments. Upgrade all instances to openclaw 2026.4.10 or newer (2026.4.14 is current) and audit workspace plugin directories for unexpected shadows immediately.

Is GHSA-82qx-6vj7-p8m2 actively exploited?

No confirmed active exploitation of GHSA-82qx-6vj7-p8m2 has been reported, but organizations should still patch proactively.

How to fix GHSA-82qx-6vj7-p8m2?

1. Upgrade to openclaw 2026.4.10 or newer — version 2026.4.14 is the current stable release and includes the fix routing setup catalog lookups through trusted paths with `excludeWorkspace: true`. 2. Audit all workspace plugin directories for files that shadow bundled channel plugins; remove or quarantine any unexpected entries. 3. Restrict write access to workspace plugin paths to trusted principals only, using filesystem ACLs or equivalent controls. 4. Review agent setup logs prior to patching for evidence of unexpected plugin loads from workspace paths. 5. In high-security or multi-tenant environments, consider disabling workspace plugin resolution entirely until all instances are patched and audited.

What systems are affected by GHSA-82qx-6vj7-p8m2?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent tool pipelines, multi-tenant agent deployments, plugin-based agent systems.

What is the CVSS score for GHSA-82qx-6vj7-p8m2?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI agent tool pipelinesmulti-tenant agent deploymentsplugin-based agent systems

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0011.002 Poisoned AI Agent Tool

AML.T0081 Modify AI Agent Configuration

AML.T0110 AI Agent Tool Poisoning

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: 8.4

NIST AI RMF: GOVERN 6.1

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

## Summary Channel setup catalog lookups could include untrusted workspace plugin shadows. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Channel setup could resolve a workspace plugin shadow before a bundled channel plugin, causing setup-time plugin loading without the intended trust gate. ## Technical Details The fix routes setup catalog lookups through trusted catalog paths and uses `excludeWorkspace: true` where setup should not include workspace shadows. ## Fix The issue was fixed in the advisory fix branch. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `1fede43b948df40ca8674511d4bd08d39f6c5837` - PR: private advisory fork ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An adversary with write access to a workspace plugin directory — obtained via compromised developer credentials, a malicious transitive npm dependency that writes to the workspace, or a shared team environment — places a crafted plugin that shadows a legitimate bundled channel plugin. When an operator or automated pipeline initiates channel setup, openclaw's unpatched resolution logic selects the workspace shadow first and loads it without applying the intended trust check. The malicious plugin executes arbitrary code in the agent's runtime context: harvesting LLM API keys, agent credentials, or sensitive data processed by the agent — mirroring the AMOS stealer delivery pattern documented in AIID #1368. In CI/CD environments, this could cascade to all agents provisioned from the compromised workspace.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.