AI Threat Alert

GHSA-cqmh-pcgr-q42f: @axonflow/openclaw: credential exposure via insecure file permissions

GHSA-cqmh-pcgr-q42f MEDIUM
Published May 6, 2026
CISO Take

The AxonFlow OpenClaw plugin stores registration credentials — including hashed credentials and instance IDs — in directories and files with world-readable permissions (0755/default umask), allowing any local user on the same host to read them without any privilege escalation. While this requires local system access and carries no public exploit or CISA KEV listing, the real threat surface is shared DevOps environments: CI/CD build hosts, developer workstations, and multi-tenant servers running AI agent tooling are realistic scenarios where a low-privilege attacker could harvest credentials laterally. With 4 downstream dependents and 135 other CVEs tracked in the same package, this plugin's security posture warrants scrutiny before broader deployment. Upgrade to @axonflow/openclaw 2.0.0 immediately — the fix enforces 0700 on all plugin directories at every startup and refuses to load any credential file without strict 0600 mode.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium risk in single-user workstation deployments, but elevated in multi-user or shared server environments. The CVSS 5.5 score (AV:L/AC:L/PR:L/UI:N/C:H/I:N/A:N) reflects local-only exploitation requiring only low privileges, yet delivers high confidentiality impact on the credential material. No remote exploitability, no active exploitation observed, and EPSS data unavailable. The 135 other CVEs in the same package is a systemic red flag for this plugin's security development maturity.

How does the attack unfold?

Local Access
Attacker obtains a low-privilege local account on a shared host where the AxonFlow OpenClaw plugin has been previously invoked by another user.
AML.T0012
Configuration Discovery
Attacker traverses ~/.config/axonflow/ and ~/.cache/axonflow/ directories — world-accessible due to 0755 mode — to locate credential files and registration state.
AML.T0084
Credential Theft
Attacker reads the world-readable try-registration.json file, extracting hashed registration credentials and the plugin instance_id.
AML.T0083
Agent Impersonation
Attacker replays stolen credentials against AxonFlow services to authenticate as the victim, gaining unauthorized access to the victim's registered AI agent configuration and associated resources.
AML.T0012

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm < 2.0.0 2.0.0
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
5.5 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

What should I do?

5 steps

  1. Upgrade @axonflow/openclaw to version 2.0.0 immediately — the patch enforces 0700 on all plugin directories at every invocation.

  2. On existing installations before upgrade: chmod 0700 ~/.config/axonflow/ ~/.cache/axonflow/ && chmod 0600 ~/.config/axonflow/try-registration.json.

  3. After upgrading, any credential file with non-0600 permissions will be rejected — re-register the plugin or chmod 0600 the existing file.

  4. Audit shared systems for world-readable AI agent config directories: find ~/.config ~/.cache -name '*.json' -perm /o+r 2>/dev/null.

  5. In CI/CD environments, ensure agent home directories are not shared across pipeline users or use isolated per-job home directories.

How is it classified?

Data Leakage Auth Bypass Privacy Violation Plugin Agent AML.T0012 AML.T0037 AML.T0055 AML.T0083 AML.T0084

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Information security controls for AI systems A.8.4 - AI system security
NIST AI RMF
GOVERN 1.7 - Processes for AI risk identification and management MANAGE 2.2 - Risk controls for AI systems
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-cqmh-pcgr-q42f?

The AxonFlow OpenClaw plugin stores registration credentials — including hashed credentials and instance IDs — in directories and files with world-readable permissions (0755/default umask), allowing any local user on the same host to read them without any privilege escalation. While this requires local system access and carries no public exploit or CISA KEV listing, the real threat surface is shared DevOps environments: CI/CD build hosts, developer workstations, and multi-tenant servers running AI agent tooling are realistic scenarios where a low-privilege attacker could harvest credentials laterally. With 4 downstream dependents and 135 other CVEs tracked in the same package, this plugin's security posture warrants scrutiny before broader deployment. Upgrade to @axonflow/openclaw 2.0.0 immediately — the fix enforces 0700 on all plugin directories at every startup and refuses to load any credential file without strict 0600 mode.

Is GHSA-cqmh-pcgr-q42f actively exploited?

No confirmed active exploitation of GHSA-cqmh-pcgr-q42f has been reported, but organizations should still patch proactively.

How to fix GHSA-cqmh-pcgr-q42f?

1. Upgrade @axonflow/openclaw to version 2.0.0 immediately — the patch enforces 0700 on all plugin directories at every invocation. 2. On existing installations before upgrade: chmod 0700 ~/.config/axonflow/ ~/.cache/axonflow/ && chmod 0600 ~/.config/axonflow/try-registration.json. 3. After upgrading, any credential file with non-0600 permissions will be rejected — re-register the plugin or chmod 0600 the existing file. 4. Audit shared systems for world-readable AI agent config directories: find ~/.config ~/.cache -name '*.json' -perm /o+r 2>/dev/null. 5. In CI/CD environments, ensure agent home directories are not shared across pipeline users or use isolated per-job home directories.

What systems are affected by GHSA-cqmh-pcgr-q42f?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-user AI development environments, CI/CD pipelines running AI agents.

What is the CVSS score for GHSA-cqmh-pcgr-q42f?

GHSA-cqmh-pcgr-q42f has a CVSS v3.1 base score of 5.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-user AI development environmentsCI/CD pipelines running AI agents

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0037 Data from Local System
AML.T0055 Unsecured Credentials
AML.T0083 Credentials from AI Agent Configuration
AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.6, A.8.4
NIST AI RMF: GOVERN 1.7, MANAGE 2.2
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

## Summary Two related permission defects in this AxonFlow plugin allowed registration credentials and cache state to be readable by other local users on hosts where the calling user's home directory was at the conventional `0755` mode. ## Affected versions Versions 1.3.2 and below. ## Impact 1. **Cache and config directory mode.** The plugin's directories under `~/.config/axonflow/` and `~/.cache/axonflow/` were created with the umask-derived default mode (often `0755`) on first use and not subsequently re-validated. On systems where `~/.config/` is itself `0755`, the plugin's registration record (including a hashed credential and `instance_id`) was traversable by other local users. 2. **Credential file mode at load time.** The plugin loaded its `try-registration.json` credential file without validating that the file mode was `0600`. A registration file written by a misconfigured tool, copied across systems, or restored from backup could end up world-readable, and the plugin would silently use it. The fix restores `0700` on all plugin directories on every plugin invocation (not only first creation) and refuses to load credential files with non-`0600` modes. ## Remediation Upgrade to the patched plugin version listed under Vulnerabilities. On startup the plugin will repair existing directory modes; existing credential files with overly permissive modes will be refused, requiring the user to re-register or `chmod 0600` the file. ## Credit Identified by AxonFlow internal security review.

Exploitation Scenario

An attacker with a low-privilege shell on a shared development server where a developer has run the AxonFlow OpenClaw plugin traverses into ~/.config/axonflow/ (accessible due to 0755 mode on the parent and plugin directories) and reads try-registration.json, which is world-readable. The file contains hashed registration credentials and an instance_id. The attacker extracts these values and replays them against AxonFlow services to authenticate as the victim, gaining access to the victim's registered AI agent configuration, orchestrated workflows, and any tools or data sources exposed through the agent.

Weaknesses (CWE)

CWE-552 Files or Directories Accessible to External Parties Primary CWE-732 Incorrect Permission Assignment for Critical Resource Primary

CWE-552 — Files or Directories Accessible to External Parties: The product makes files or directories accessible to unauthorized actors, even though they should not be.

  • [Implementation, System Configuration, Operation] When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
May 6, 2026
Last Modified
May 6, 2026
First Seen
May 7, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33579 9.9

OpenClaw: scope bypass escalates low-priv to admin

Same package: openclaw
CRITICAL CVE-2026-32922 9.9

OpenClaw: privilege escalation to RCE via token scope bypass

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-32038 9.8

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
Back to Threat Feed