GHSA-f3h5-h452-vp3j: OpenClaw insufficient authz

CISO Take

A medium-severity authorization flaw in openclaw (npm) allowed any user holding operator.write scope to persist Nostr plugin profile configuration through HTTP mutation routes — bypassing the operator.admin requirement entirely. While only 4 direct downstream dependents are exposed, openclaw carries a troubling history of 135 prior CVEs, and AIID incident #1368 documents active real-world abuse of the OpenClaw ecosystem for credential exfiltration via ClawHub, establishing this package as a high-value adversary target. Exploitation is trivial for any authenticated operator.write account holder — no special tooling or AI knowledge required. Upgrade to openclaw >= 2026.4.10 (latest: 2026.4.14) immediately and audit Nostr profile mutation logs for any non-admin operator activity prior to your patch window.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

Medium risk in isolation, elevated in context. No CVSS vector or EPSS data is available, there is no active KEV listing, and no public exploit exists. However, the combination of trivial exploitation (valid lower-privilege credentials only), the documented active abuse of the OpenClaw ecosystem (AIID #1368), and the package's history of 135 prior CVEs elevates practical risk above the nominal medium rating for organizations running openclaw in production agentic deployments. Multi-tenant environments where operator.write credentials are distributed across teams face the greatest exposure.

How does the attack unfold?

Initial Access

Attacker authenticates with a valid operator.write account — obtained via credential theft (e.g., AMOS stealer as in AIID #1368), compromised team member, or malicious insider.

AML.T0012

Privilege Exploitation

Attacker sends HTTP requests to Nostr profile mutation routes that incorrectly accept operator.write scope instead of requiring operator.admin, bypassing authorization enforcement.

AML.T0049

Configuration Persistence

Malicious profile configuration is persisted — relay endpoints, agent identity parameters, or profile metadata — surviving restarts and affecting all consumers of the agent profile.

AML.T0081

Impact

Persistent unauthorized configuration redirects agent communications, enables follow-on credential harvesting, or establishes covert presence within the AI deployment's identity and communication layer.

AML.T0080

Initial Access

Attacker authenticates with a valid operator.write account — obtained via credential theft (e.g., AMOS stealer as in AIID #1368), compromised team member, or malicious insider.

AML.T0012

Privilege Exploitation

Attacker sends HTTP requests to Nostr profile mutation routes that incorrectly accept operator.write scope instead of requiring operator.admin, bypassing authorization enforcement.

AML.T0049

Configuration Persistence

Malicious profile configuration is persisted — relay endpoints, agent identity parameters, or profile metadata — surviving restarts and affecting all consumers of the agent profile.

AML.T0081

Impact

Persistent unauthorized configuration redirects agent communications, enables follow-on credential harvesting, or establishes covert presence within the AI deployment's identity and communication layer.

AML.T0080

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.10	`2026.4.10`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade to openclaw >= 2026.4.10 (latest stable: 2026.4.14) — this is the only full remediation.
Prior to patching, audit all HTTP logs for Nostr profile mutation route access by non-admin operator accounts.
If immediate upgrade is not possible, restrict access to Nostr profile mutation endpoints at the application gateway or WAF layer to operator.admin accounts only.
Rotate any operator.write credentials that may have been used for unauthorized profile mutations.
Review agent profile configuration for unexpected changes to relay endpoints or identity parameters.

How is it classified?

Auth Bypass Supply Chain Agent Plugin AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - Access control for AI systems

NIST AI RMF

GOVERN-1.7 - Processes and responsibilities for AI risk management

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-f3h5-h452-vp3j?

A medium-severity authorization flaw in openclaw (npm) allowed any user holding operator.write scope to persist Nostr plugin profile configuration through HTTP mutation routes — bypassing the operator.admin requirement entirely. While only 4 direct downstream dependents are exposed, openclaw carries a troubling history of 135 prior CVEs, and AIID incident #1368 documents active real-world abuse of the OpenClaw ecosystem for credential exfiltration via ClawHub, establishing this package as a high-value adversary target. Exploitation is trivial for any authenticated operator.write account holder — no special tooling or AI knowledge required. Upgrade to openclaw >= 2026.4.10 (latest: 2026.4.14) immediately and audit Nostr profile mutation logs for any non-admin operator activity prior to your patch window.

Is GHSA-f3h5-h452-vp3j actively exploited?

No confirmed active exploitation of GHSA-f3h5-h452-vp3j has been reported, but organizations should still patch proactively.

How to fix GHSA-f3h5-h452-vp3j?

1. Upgrade to openclaw >= 2026.4.10 (latest stable: 2026.4.14) — this is the only full remediation. 2. Prior to patching, audit all HTTP logs for Nostr profile mutation route access by non-admin operator accounts. 3. If immediate upgrade is not possible, restrict access to Nostr profile mutation endpoints at the application gateway or WAF layer to operator.admin accounts only. 4. Rotate any operator.write credentials that may have been used for unauthorized profile mutations. 5. Review agent profile configuration for unexpected changes to relay endpoints or identity parameters.

What systems are affected by GHSA-f3h5-h452-vp3j?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant AI platforms, AI orchestration pipelines.

What is the CVSS score for GHSA-f3h5-h452-vp3j?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-tenant AI platformsAI orchestration pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.3

NIST AI RMF: GOVERN-1.7

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

## Summary Nostr profile mutation routes allowed operator.write config persistence. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Nostr plugin HTTP profile routes could persist profile config through a path that did not require admin authority. ## Technical Details The fix requires `operator.admin` scope for Nostr profile mutation routes. ## Fix The issue was fixed in #63553. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `6517c700de9bb0ee11b41ab625ef3b63d01b6083` - PR: #63553 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zpbrent and @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An internal threat actor or a service account compromised via credential theft (consistent with AIID #1368 AMOS stealer abuse) holds operator.write credentials. The attacker sends HTTP POST requests to the openclaw Nostr profile mutation routes. Pre-patch, these routes accept the lower-privilege scope and persist configuration changes — such as redirecting Nostr relay endpoints to an adversary-controlled server or injecting malicious profile metadata — without triggering admin authorization checks. The modified configuration survives service restarts and affects all consumers of the agent profile, enabling covert persistent access to agent communications or follow-on credential harvesting aligned with the ClawHub abuse pattern documented in AIID #1368.

Weaknesses (CWE)

CWE-266 Incorrect Privilege Assignment Primary CWE-863 Incorrect Authorization Primary

CWE-266 — Incorrect Privilege Assignment: A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design, Operation] Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Source: MITRE CWE corpus.