GHSA-g2hm-779g-vm32: OpenClaw auth bypass preserves

CISO Take

A missing authorization check in openclaw's heartbeat owner-downgrade logic allows webhook wake events carrying untrusted content to execute with owner-level privileges instead of being safely demoted. For AI agent deployments built on openclaw, this means an attacker who can deliver a crafted webhook event could trigger agent actions with elevated context — potentially accessing restricted tools, data, or external services beyond what untrusted callers should reach. While no public exploit exists and EPSS data is unavailable, the vulnerability class (CWE-863 incorrect authorization) is straightforward to weaponize once the event structure is understood, and the same package carries 135 other tracked CVEs — a persistent signal of systemic security debt. Teams running openclaw >= 2026.4.7 should upgrade to 2026.4.14 immediately; in the interim, restrict webhook endpoints to authenticated sources only and audit agent execution logs for anomalous owner-context runs.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

Medium risk in isolation, elevated in AI agent deployments. The attack requires the ability to deliver webhook wake events to the target system, which limits surface area compared to unauthenticated RCE. However, in agent architectures where agents interact with sensitive tools or data under an owner's credentials, preserved privileged context can enable significant lateral movement. The absence of EPSS data and public exploits reduces urgency, but the package's 135+ CVE history signals a codebase with chronic authorization and trust-boundary issues that compounds systemic risk.

How does the attack unfold?

Webhook Delivery

Attacker sends a crafted webhook wake event with untrusted content to an openclaw agent endpoint via a compromised upstream integration, third-party service, or exposed webhook URL.

AML.T0049

Downgrade Bypass

Openclaw's heartbeat owner-downgrade logic fails to inspect the wake or hook event reason, allowing the untrusted payload to skip the privilege demotion and preserve owner-level execution context.

AML.T0107

Privileged Agent Execution

The agent runs with owner-level context, enabling invocation of privileged tools, API calls using owner credentials, and access to restricted data sources the untrusted caller should not reach.

AML.T0053

Exfiltration or Lateral Movement

With elevated privileges, the attacker's payload exfiltrates sensitive data, invokes restricted agent tools, or pivots to other systems and services accessible under the agent owner's identity.

AML.T0086

Webhook Delivery

Attacker sends a crafted webhook wake event with untrusted content to an openclaw agent endpoint via a compromised upstream integration, third-party service, or exposed webhook URL.

AML.T0049

Downgrade Bypass

Openclaw's heartbeat owner-downgrade logic fails to inspect the wake or hook event reason, allowing the untrusted payload to skip the privilege demotion and preserve owner-level execution context.

AML.T0107

Privileged Agent Execution

The agent runs with owner-level context, enabling invocation of privileged tools, API calls using owner credentials, and access to restricted data sources the untrusted caller should not reach.

AML.T0053

Exfiltration or Lateral Movement

With elevated privileges, the attacker's payload exfiltrates sensitive data, invokes restricted agent tools, or pivots to other systems and services accessible under the agent owner's identity.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	>= 2026.4.7, < 2026.4.14	`2026.4.14`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Upgrade openclaw to >= 2026.4.14 immediately — the fix adds wake and hook event reasons to owner-downgrade inspection and forces downgrade for untrusted hook wake events (PR #66031).
If immediate upgrade is blocked, restrict webhook endpoints to authenticated trusted sources at the network or WAF layer — reject or validate webhook origins before they reach the agent.
Audit agent execution logs for heartbeat/wake events from external sources processed before 2026.4.14 deployment to identify potential exploitation windows.
Scope agent permissions to minimum necessary — reduce owner-level tool grants to limit blast radius from any privilege preservation.
Monitor for anomalous tool invocations or data access patterns immediately following webhook events.

How is it classified?

Auth Bypass Code Execution Agent Plugin AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning AML.T0107 - Exploitation for Defense Evasion AML.T0110 - AI Agent Tool Poisoning

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI System Access Control

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-g2hm-779g-vm32?

A missing authorization check in openclaw's heartbeat owner-downgrade logic allows webhook wake events carrying untrusted content to execute with owner-level privileges instead of being safely demoted. For AI agent deployments built on openclaw, this means an attacker who can deliver a crafted webhook event could trigger agent actions with elevated context — potentially accessing restricted tools, data, or external services beyond what untrusted callers should reach. While no public exploit exists and EPSS data is unavailable, the vulnerability class (CWE-863 incorrect authorization) is straightforward to weaponize once the event structure is understood, and the same package carries 135 other tracked CVEs — a persistent signal of systemic security debt. Teams running openclaw >= 2026.4.7 should upgrade to 2026.4.14 immediately; in the interim, restrict webhook endpoints to authenticated sources only and audit agent execution logs for anomalous owner-context runs.

Is GHSA-g2hm-779g-vm32 actively exploited?

No confirmed active exploitation of GHSA-g2hm-779g-vm32 has been reported, but organizations should still patch proactively.

How to fix GHSA-g2hm-779g-vm32?

1. Upgrade openclaw to >= 2026.4.14 immediately — the fix adds wake and hook event reasons to owner-downgrade inspection and forces downgrade for untrusted hook wake events (PR #66031). 2. If immediate upgrade is blocked, restrict webhook endpoints to authenticated trusted sources at the network or WAF layer — reject or validate webhook origins before they reach the agent. 3. Audit agent execution logs for heartbeat/wake events from external sources processed before 2026.4.14 deployment to identify potential exploitation windows. 4. Scope agent permissions to minimum necessary — reduce owner-level tool grants to limit blast radius from any privilege preservation. 5. Monitor for anomalous tool invocations or data access patterns immediately following webhook events.

What systems are affected by GHSA-g2hm-779g-vm32?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, webhook-triggered AI pipelines, event-driven AI systems, multi-agent orchestration.

What is the CVSS score for GHSA-g2hm-779g-vm32?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworkswebhook-triggered AI pipelinesevent-driven AI systemsmulti-agent orchestration

MITRE ATLAS Techniques

AML.T0053 AI Agent Tool Invocation

AML.T0080 AI Agent Context Poisoning

AML.T0107 Exploitation for Defense Evasion

AML.T0110 AI Agent Tool Poisoning

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

## Summary Heartbeat owner downgrade missed untrusted webhook wake events. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.4.7 < 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact Heartbeat owner downgrade logic could skip webhook wake events carrying untrusted content, preserving owner-like execution context where the run should have been downgraded. ## Technical Details The fix includes wake and hook event reasons in owner-downgrade inspection and forces downgrade for untrusted hook wake events. ## Fix The issue was fixed in #66031. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `31281bc92f55796817a92bc43f722cba1e77ab42` - PR: #66031 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An attacker with access to send webhook requests to an openclaw-powered agent — via a third-party integration, compromised upstream service, or publicly exposed webhook endpoint — crafts a wake event that triggers the agent's heartbeat processing. Because the owner-downgrade logic fails to inspect the event reason or hook type, the agent continues executing with owner-level context. The attacker's untrusted payload now runs with elevated privileges, invoking restricted tools such as file system access or API calls authenticated with owner credentials. In a multi-tenant or enterprise deployment, this can enable cross-tenant exfiltration or persistent access to resources the attacker should never reach. Given AIID #1368 documented malicious openclaw skills actively harvesting credentials in the same ecosystem, this privilege preservation flaw could amplify that attack class significantly.

Weaknesses (CWE)

CWE-863 Incorrect Authorization Primary

CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.