GHSA-cmfr-9m2r-xwhq — MEDIUM AI Security Vulnerability

Q: Is GHSA-cmfr-9m2r-xwhq actively exploited?

No confirmed active exploitation of GHSA-cmfr-9m2r-xwhq has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-cmfr-9m2r-xwhq?

1. Upgrade to openclaw 2026.4.8 immediately — this is the only fix; no workaround exists for the path bypass. 2. Audit existing browser profiles managed by OpenClaw for unexpected proxy settings, extension changes, or modified credential stores. 3. If upgrade is not immediately possible, restrict OpenClaw's invocation surface to trusted internal callers only. 4. Review installed OpenClaw skills against known-good baselines — given the AMOS stealer incident, treat all third-party skills as untrusted until verified. 5. Monitor filesystem changes to browser profile directories as a detection signal for exploitation.

Q: What systems are affected by GHSA-cmfr-9m2r-xwhq?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, browser automation, local AI agents.

Q: What is the CVSS score for GHSA-cmfr-9m2r-xwhq?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's browser proxy invocation path (`node.invoke(browser.proxy)`) bypasses the `browser.request` authorization guard designed to prevent persistent browser profile mutations, classified as CWE-863 Incorrect Authorization. While scoped to a local, user-controlled assistant context and carrying no EPSS data or KEV listing, the risk is non-trivial: persistent profile mutation can survive session restarts, potentially altering proxy settings, injecting stored credentials, or redirecting traffic — all silently. The same OpenClaw ecosystem has logged 60 CVEs total and was linked to a Feb. 2026 incident where malicious skills delivered AMOS stealer and exfiltrated credentials (AIID #1368), confirming it is an active adversarial target. Upgrade to openclaw 2026.4.8 immediately; no workaround exists for the guard bypass.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium risk in isolation, elevated in context. The local-agent trust model limits multi-tenant blast radius, but persistent browser profile mutation creates a durable foothold in any workflow where OpenClaw manages browser sessions. No public exploit code or scanner template is available, and exploitation requires access to the agent's invocation surface. However, the package's history of 60 CVEs and confirmed ecosystem abuse (AMOS stealer distribution) raises the operational risk above the base CVSS score suggests.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Upgrade to openclaw 2026.4.8 immediately — this is the only fix; no workaround exists for the path bypass.
Audit existing browser profiles managed by OpenClaw for unexpected proxy settings, extension changes, or modified credential stores.
If upgrade is not immediately possible, restrict OpenClaw's invocation surface to trusted internal callers only.
Review installed OpenClaw skills against known-good baselines — given the AMOS stealer incident, treat all third-party skills as untrusted until verified.
Monitor filesystem changes to browser profile directories as a detection signal for exploitation.

Classification

Auth Bypass Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0112.000 - Local AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.6 - Access control to AI systems

NIST AI RMF

GOVERN 6.2 - Policies and procedures are in place to define and differentiate roles and responsibilities

OWASP LLM Top 10

LLM06 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents credential exfiltration via malicious OpenClaw skills — the same platform as this CVE. The browser proxy guard bypass described here creates an identical exfiltration-capable foothold: an attacker controlling the proxy intercepts session credentials in transit, directly enabling the credential theft outcome observed in the incident.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-cmfr-9m2r-xwhq?

OpenClaw's browser proxy invocation path (`node.invoke(browser.proxy)`) bypasses the `browser.request` authorization guard designed to prevent persistent browser profile mutations, classified as CWE-863 Incorrect Authorization. While scoped to a local, user-controlled assistant context and carrying no EPSS data or KEV listing, the risk is non-trivial: persistent profile mutation can survive session restarts, potentially altering proxy settings, injecting stored credentials, or redirecting traffic — all silently. The same OpenClaw ecosystem has logged 60 CVEs total and was linked to a Feb. 2026 incident where malicious skills delivered AMOS stealer and exfiltrated credentials (AIID #1368), confirming it is an active adversarial target. Upgrade to openclaw 2026.4.8 immediately; no workaround exists for the guard bypass.

Is GHSA-cmfr-9m2r-xwhq actively exploited?

No confirmed active exploitation of GHSA-cmfr-9m2r-xwhq has been reported, but organizations should still patch proactively.

How to fix GHSA-cmfr-9m2r-xwhq?

1. Upgrade to openclaw 2026.4.8 immediately — this is the only fix; no workaround exists for the path bypass. 2. Audit existing browser profiles managed by OpenClaw for unexpected proxy settings, extension changes, or modified credential stores. 3. If upgrade is not immediately possible, restrict OpenClaw's invocation surface to trusted internal callers only. 4. Review installed OpenClaw skills against known-good baselines — given the AMOS stealer incident, treat all third-party skills as untrusted until verified. 5. Monitor filesystem changes to browser profile directories as a detection signal for exploitation.

What systems are affected by GHSA-cmfr-9m2r-xwhq?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, browser automation, local AI agents.

What is the CVSS score for GHSA-cmfr-9m2r-xwhq?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard. node.invoke(browser.proxy) could mutate persistent browser profiles through a path that bypassed the browser.request guard. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= v2026.04.01` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @nicky-cc of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting.

Exploitation Scenario

An attacker who controls a malicious OpenClaw skill (or has code execution in the agent's environment) calls `node.invoke(browser.proxy)` instead of routing through the protected `browser.request` path. This bypasses the persistent-profile-mutation guard, allowing the attacker to reconfigure the browser's proxy to an adversary-controlled endpoint. All subsequent web requests made by OpenClaw — including authenticated API calls, credential submissions, or session-bearing requests — are then transparently intercepted. The mutation persists across OpenClaw restarts, creating a durable interception channel that survives normal session cleanup. This attack chain mirrors exactly the credential exfiltration vector observed in AIID #1368.