GHSA-g375-h3v6-4873: OpenClaw privilege retention

Q: Is GHSA-g375-h3v6-4873 actively exploited?

No confirmed active exploitation of GHSA-g375-h3v6-4873 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-g375-h3v6-4873?

1. Upgrade openclaw to version 2026.4.10 or later (2026.4.14 is the current stable release containing the fix). 2. No supported workaround exists — the fix requires code changes to exec-completion detection. 3. As an interim control, restrict openclaw agents to the minimum required privilege level at process start, reducing the delta if downgrade fails. 4. Audit pipeline configurations for any background exec invocations that accept untrusted content (user input, external API responses, third-party tool output). 5. Monitor agent process privilege levels via OS-level auditing (auditd/macOS ASL) for unexpected elevation persistence. 6. Given the 135-CVE history, evaluate whether openclaw is an acceptable dependency — consider requiring OpenSSF Scorecard evaluation before re-approving.

Q: What systems are affected by GHSA-g375-h3v6-4873?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI agent deployments, multi-step agentic pipelines, tool-augmented LLM agents.

Q: What is the CVSS score for GHSA-g375-h3v6-4873?

No CVSS score has been assigned yet.

CISO Take

This vulnerability in the openclaw AI agent framework causes the heartbeat owner-downgrade mechanism to miss local background exec completion events, leaving an agent run in a more privileged context than intended after processing untrusted completion content. The risk is meaningful in agentic deployments: an agent operating with elevated privileges beyond its intended scope could take unauthorized file system, network, or tool actions on behalf of untrusted input. With 135 prior CVEs in the same package, openclaw carries a substantial vulnerability history that should factor into supply chain risk assessments. No public exploit exists and EPSS data is unavailable, but the attack surface is local execution — any pipeline routing untrusted content through openclaw agents is exposed. Upgrade to openclaw 2026.4.10 or later; no workaround is available short of disabling background exec.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

Medium severity in isolation, but elevated in AI agent contexts. The privilege management flaw (CWE-269) is specific to the async execution boundary — the window where heartbeat owner-downgrade should fire but doesn't for local background exec format. Exploitation requires the ability to supply untrusted completion content to a running openclaw agent, which is a realistic scenario in multi-tenant or user-facing agentic deployments. The 135-CVE history of this package is a red flag for organizations conducting supply chain due diligence. Risk is highest for deployments where openclaw agents have broad tool access (file I/O, shell exec, API calls) and where user-supplied content can influence background execution.

How does the attack unfold?

Untrusted Content Injection

Adversary supplies crafted content through a user-facing interface that will be processed as completion content by a background exec task in openclaw.

AML.T0051.001

Privilege Downgrade Miss

The background exec task completes; heartbeat owner-downgrade detection fails to recognize the local async exec completion format, skipping the privilege reduction step.

AML.T0107

Elevated Context Persistence

The openclaw agent continues executing subsequent tool invocations in a more privileged context than intended, with no security control flagging the anomaly.

AML.T0112.000

Unauthorized Tool Actions

Adversary leverages the retained elevated privileges to invoke agent tools accessing restricted resources — files, APIs, or shell commands — that would have been blocked under the correct privilege level.

AML.T0053

Untrusted Content Injection

Adversary supplies crafted content through a user-facing interface that will be processed as completion content by a background exec task in openclaw.

AML.T0051.001

Privilege Downgrade Miss

The background exec task completes; heartbeat owner-downgrade detection fails to recognize the local async exec completion format, skipping the privilege reduction step.

AML.T0107

Elevated Context Persistence

The openclaw agent continues executing subsequent tool invocations in a more privileged context than intended, with no security control flagging the anomaly.

AML.T0112.000

Unauthorized Tool Actions

Adversary leverages the retained elevated privileges to invoke agent tools accessing restricted resources — files, APIs, or shell commands — that would have been blocked under the correct privilege level.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	>= 2026.3.31, < 2026.4.10	`2026.4.10`
4 dependents 36% patched ~3d to patch Full package profile →
OpenClaw	pip	—	No patch
4 dependents 36% patched ~3d to patch Full package profile →

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

Upgrade openclaw to version 2026.4.10 or later (2026.4.14 is the current stable release containing the fix).
No supported workaround exists — the fix requires code changes to exec-completion detection.
As an interim control, restrict openclaw agents to the minimum required privilege level at process start, reducing the delta if downgrade fails.
Audit pipeline configurations for any background exec invocations that accept untrusted content (user input, external API responses, third-party tool output).
Monitor agent process privilege levels via OS-level auditing (auditd/macOS ASL) for unexpected elevation persistence.
Given the 135-CVE history, evaluate whether openclaw is an acceptable dependency — consider requiring OpenSSF Scorecard evaluation before re-approving.

How is it classified?

Auth Bypass Code Execution Agent AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0107 - Exploitation for Defense Evasion AML.T0112.000 - Local AI Agent

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system Article 15.1 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.1.2 - AI system risk assessment A.9.2 - Access control for AI systems A.9.3 - Protection of AI Systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain oversight of AI systems

OWASP LLM Top 10

LLM06:2025 - Excessive Agency LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-g375-h3v6-4873?

This vulnerability in the openclaw AI agent framework causes the heartbeat owner-downgrade mechanism to miss local background exec completion events, leaving an agent run in a more privileged context than intended after processing untrusted completion content. The risk is meaningful in agentic deployments: an agent operating with elevated privileges beyond its intended scope could take unauthorized file system, network, or tool actions on behalf of untrusted input. With 135 prior CVEs in the same package, openclaw carries a substantial vulnerability history that should factor into supply chain risk assessments. No public exploit exists and EPSS data is unavailable, but the attack surface is local execution — any pipeline routing untrusted content through openclaw agents is exposed. Upgrade to openclaw 2026.4.10 or later; no workaround is available short of disabling background exec.

Is GHSA-g375-h3v6-4873 actively exploited?

No confirmed active exploitation of GHSA-g375-h3v6-4873 has been reported, but organizations should still patch proactively.

How to fix GHSA-g375-h3v6-4873?

1. Upgrade openclaw to version 2026.4.10 or later (2026.4.14 is the current stable release containing the fix). 2. No supported workaround exists — the fix requires code changes to exec-completion detection. 3. As an interim control, restrict openclaw agents to the minimum required privilege level at process start, reducing the delta if downgrade fails. 4. Audit pipeline configurations for any background exec invocations that accept untrusted content (user input, external API responses, third-party tool output). 5. Monitor agent process privilege levels via OS-level auditing (auditd/macOS ASL) for unexpected elevation persistence. 6. Given the 135-CVE history, evaluate whether openclaw is an acceptable dependency — consider requiring OpenSSF Scorecard evaluation before re-approving.

What systems are affected by GHSA-g375-h3v6-4873?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI agent deployments, multi-step agentic pipelines, tool-augmented LLM agents.

What is the CVSS score for GHSA-g375-h3v6-4873?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworkslocal AI agent deploymentsmulti-step agentic pipelinestool-augmented LLM agents

MITRE ATLAS Techniques

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0107 Exploitation for Defense Evasion

AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Art. 9, Article 15.1

ISO 42001: A.6.1.2, A.9.2, A.9.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06:2025, LLM08

What are the technical details?

Original Advisory

## Summary Heartbeat owner downgrade missed local async exec completion events. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.3.31 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Local background exec completion text could be missed by heartbeat owner-downgrade detection, leaving a run in a more privileged context than intended after untrusted completion content. ## Technical Details The fix expands exec-completion detection to local background exec formats and adds targeted tests. ## Fix The issue was fixed in #64376. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `19a2e9ddb5a8a494abcba812bb11f51075026a27` - PR: #64376 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An adversary operating through a user-facing AI agent interface submits crafted input designed to trigger a background execution task in openclaw. The task completes asynchronously — the heartbeat owner-downgrade mechanism checks for completion events but misses the local background exec format, failing to demote the agent's privilege context. The agent continues operating with elevated privileges for subsequent tool invocations. The adversary then submits follow-on requests that leverage the retained elevated context to access restricted files, invoke privileged shell commands, or exfiltrate data that would normally be blocked by the intended privilege boundary. No special AI/ML knowledge is required — the attacker only needs to know that openclaw's background exec triggers the vulnerable code path.

Weaknesses (CWE)

CWE-269 Improper Privilege Management Primary

CWE-269 — Improper Privilege Management: The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design] Follow the principle of least privilege when assigning access rights to entities in a software system.

Source: MITRE CWE corpus.