AI Threat Alert

GHSA-cwj3-vqpp-pmxr: openclaw: Model bypasses authz to persist unsafe config

GHSA-cwj3-vqpp-pmxr HIGH
Published May 5, 2026
CISO Take

OpenClaw's agent gateway used a hand-maintained denylist to restrict model-driven mutations to sensitive configuration paths — a design that silently failed as the config schema grew beyond what the list covered. Any prompt-injected or otherwise compromised model with access to the owner-only gateway tool could invoke config.apply or config.patch against unprotected paths covering command execution, TLS behavior, credential forwarding, telemetry/hook endpoints, memory surfaces, and operator policy controls, with all changes surviving agent restarts. With 4 downstream npm dependents and no public exploit or CISA KEV listing, mass exploitation at scale is unlikely today, but the persistence mechanism elevates individual incident severity significantly — a single successful prompt injection results in a persistent foothold that requires manual remediation to clean up. Teams running openclaw should upgrade immediately to 2026.4.23, which replaces the denylist with a fail-closed allowlist; additionally audit all agent config files for unauthorized mutations and review gateway tool invocation logs for anomalous config.apply or config.patch calls prior to the patch date.

Sources: GitHub Advisory ATLAS

What is the risk?

CVSS 8.8 (High) reflects network-reachable exploitation requiring only low privileges and no user interaction. The attack surface is constrained by the owner-only nature of the gateway tool, but OpenClaw's own security model explicitly treats the model/agent as an untrusted principal — making any model-driven config mutation a fundamental boundary violation regardless of entry privileges. The denylist approach is a well-documented anti-pattern in security engineering; its failure here is systemic and predictable. No public exploit code exists and the package has only 4 downstream npm dependents, which limits immediate blast radius. However, the persistence mechanism — config changes surviving restart — elevates the risk well beyond a transient compromise, as remediation requires active identification and reversal of each unauthorized mutation rather than simply restarting the agent.

How does the attack unfold?

Prompt Injection
Adversary embeds malicious instructions in external content ingested by the openclaw agent (document, web page, or API response), causing the model to treat the injected instructions as legitimate directives.
AML.T0051.001
Gateway Tool Invocation
The compromised model invokes the owner-only gateway tool with config.apply or config.patch targeting config paths not covered by the pre-2026.4.23 denylist (command execution, credential forwarding, telemetry endpoints).
AML.T0053
Unauthorized Config Persistence
The gateway mutation RPC succeeds unchecked, writing adversary-controlled values to config paths that survive agent restart, establishing persistent unauthorized changes to the agent's operational environment.
AML.T0081
Impact — Security Boundary Crossed
Persisted config changes enable downstream impacts including command execution on next trigger, credential exfiltration via rewritten forwarding rules, and traffic interception via proxy/TLS config modification — all surviving restarts without active operator detection.
AML.T0086

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm < 2026.4.23 2026.4.23
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Upgrade openclaw to version 2026.4.23 immediately — the fix replaces the denylist with a fail-closed allowlist that only permits narrow agent-tunable prompt/model settings and mention-gating paths.

  2. Audit all openclaw config files for unexpected mutations in command execution, network/proxy/TLS, credential forwarding, telemetry/hook endpoints, memory/indexing, and operator policy sections — compare against known-good baselines.

  3. Review agent gateway tool invocation logs for config.apply or config.patch calls targeting non-standard paths, particularly in the weeks prior to patching.

  4. If immediate upgrade is not feasible, revoke model access to the gateway tool entirely and monitor all config mutation RPCs at the infrastructure level.

  5. Implement config file integrity monitoring (cryptographic hash verification with alerting) to detect unauthorized persistent changes going forward.

  6. Treat any pre-patch openclaw deployment as potentially compromised and perform full config review before restoring to production.

How is it classified?

Prompt Injection Auth Bypass Code Execution Agent Plugin Framework AML.T0051.001 AML.T0053 AML.T0080 AML.T0081 AML.T0086

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system operation
NIST AI RMF
GOVERN 1.2 - Accountability structures for AI risk MANAGE 2.2 - Risk treatment and response
OWASP LLM Top 10
LLM01:2025 - Prompt Injection LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is GHSA-cwj3-vqpp-pmxr?

OpenClaw's agent gateway used a hand-maintained denylist to restrict model-driven mutations to sensitive configuration paths — a design that silently failed as the config schema grew beyond what the list covered. Any prompt-injected or otherwise compromised model with access to the owner-only gateway tool could invoke config.apply or config.patch against unprotected paths covering command execution, TLS behavior, credential forwarding, telemetry/hook endpoints, memory surfaces, and operator policy controls, with all changes surviving agent restarts. With 4 downstream npm dependents and no public exploit or CISA KEV listing, mass exploitation at scale is unlikely today, but the persistence mechanism elevates individual incident severity significantly — a single successful prompt injection results in a persistent foothold that requires manual remediation to clean up. Teams running openclaw should upgrade immediately to 2026.4.23, which replaces the denylist with a fail-closed allowlist; additionally audit all agent config files for unauthorized mutations and review gateway tool invocation logs for anomalous config.apply or config.patch calls prior to the patch date.

Is GHSA-cwj3-vqpp-pmxr actively exploited?

No confirmed active exploitation of GHSA-cwj3-vqpp-pmxr has been reported, but organizations should still patch proactively.

How to fix GHSA-cwj3-vqpp-pmxr?

1. Upgrade openclaw to version 2026.4.23 immediately — the fix replaces the denylist with a fail-closed allowlist that only permits narrow agent-tunable prompt/model settings and mention-gating paths. 2. Audit all openclaw config files for unexpected mutations in command execution, network/proxy/TLS, credential forwarding, telemetry/hook endpoints, memory/indexing, and operator policy sections — compare against known-good baselines. 3. Review agent gateway tool invocation logs for config.apply or config.patch calls targeting non-standard paths, particularly in the weeks prior to patching. 4. If immediate upgrade is not feasible, revoke model access to the gateway tool entirely and monitor all config mutation RPCs at the infrastructure level. 5. Implement config file integrity monitoring (cryptographic hash verification with alerting) to detect unauthorized persistent changes going forward. 6. Treat any pre-patch openclaw deployment as potentially compromised and perform full config review before restoring to production.

What systems are affected by GHSA-cwj3-vqpp-pmxr?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic pipelines, LLM tool use systems, AI orchestration platforms.

What is the CVSS score for GHSA-cwj3-vqpp-pmxr?

GHSA-cwj3-vqpp-pmxr has a CVSS v3.1 base score of 8.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksagentic pipelinesLLM tool use systemsAI orchestration platforms

MITRE ATLAS Techniques

AML.T0051.001 Indirect
AML.T0053 AI Agent Tool Invocation
AML.T0080 AI Agent Context Poisoning
AML.T0081 Modify AI Agent Configuration
AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: 6.1.2, 8.4
NIST AI RMF: GOVERN 1.2, MANAGE 2.2
OWASP LLM Top 10: LLM01:2025, LLM08:2025

What are the technical details?

Original Advisory

## Summary The agent-facing `gateway` tool protects `config.apply` and `config.patch` with a model-to-operator trust boundary. That guard used a hand-maintained denylist of protected config paths. The config schema outgrew that denylist, leaving sensitive subtrees writable through model-driven gateway config mutations. ## Impact A prompt-injected or otherwise compromised model running with access to the owner-only `gateway` tool could persist unsafe config changes that crossed security boundaries. Examples included config paths affecting command execution, network/proxy/TLS behavior, credential forwarding, telemetry or hook endpoints, memory/indexing surfaces, and operator policy controls. These changes could survive restart once written to config. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected: versions before `2026.4.23` - Fixed: `2026.4.23` - Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23` ## Fix OpenClaw replaced the denylist with a fail-closed allowlist. Agent-driven `gateway config.apply` and `gateway config.patch` now permit only narrow agent-tunable prompt/model settings and mention-gating paths. Other config changes are rejected before the gateway mutation RPC is invoked. ## Fix Commit(s) - `bceda6089aa7b3695cc7696b43c61ae3d01bb0ec` (`fix(gateway): fail closed on runtime config edits`) ## Severity Severity remains `high`. The vulnerable entry point is owner-only, but the model/agent is not a trusted principal under OpenClaw's security model, and the guard is the explicit model-to-operator boundary for persisted config mutation.

Exploitation Scenario

An adversary embeds a prompt injection payload in external content routinely ingested by an openclaw agent — for example, a document processed via a file-reading tool, a web page fetched during research, or an API response from an integrated service. The injected instructions direct the agent to invoke the gateway tool with config.apply targeting a telemetry endpoint path not covered by the pre-2026.4.23 denylist, rewriting the endpoint to an adversary-controlled server. On the next agent cycle, all telemetry — potentially including conversation context, tool outputs, or credential material — is forwarded externally. The adversary follows up with a second injection rewriting hook endpoints to execute arbitrary commands on the next trigger event. Both changes are written to disk and survive agent restart, giving the adversary a persistent dual-channel foothold (exfiltration + command execution) that persists indefinitely until an operator audits the config. The owner-only gateway access requirement is irrelevant because the model itself is the vector — the denylist was the only guard between model execution and config persistence, and it was incomplete.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 5, 2026
Last Modified
May 5, 2026
First Seen
May 5, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33579 9.9

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-32922 9.9

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-32038 9.8

Analysis pending

Same package: openclaw
Back to Threat Feed