GHSA-jf25-7968-h2h5: OpenClaw path traversal

Q: Is GHSA-jf25-7968-h2h5 actively exploited?

No confirmed active exploitation of GHSA-jf25-7968-h2h5 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-jf25-7968-h2h5?

1. Upgrade to openclaw 2026.4.14 (latest stable, includes fix from 2026.4.10). 2. If patching is delayed, disable or restrict the screen_record tool in agent configuration. 3. Apply OS-level filesystem restrictions (chroot, seccomp, AppArmor) to contain the agent process scope. 4. Audit recent agent logs for screen_record invocations with outPath values containing '../' sequences or absolute paths outside the workspace root. 5. Review all openclaw tool invocations in CI/CD pipelines for suspicious path patterns. Detection query: grep agent logs for screen_record tool calls where outPath does not begin with the designated workspace root directory.

Q: What systems are affected by GHSA-jf25-7968-h2h5?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI development tooling, local AI agents, agentic coding environments, CI/CD pipelines using AI agents.

Q: What is the CVSS score for GHSA-jf25-7968-h2h5?

No CVSS score has been assigned yet.

CISO Take

openclaw's screen recording tool failed to apply the workspace-root boundary check to outPath parameters, allowing any authorized tool invocation to write files anywhere on the host filesystem. With 135 prior CVEs in the same package, this reflects a recurring pattern of inadequate sandbox enforcement in an AI coding agent that operates with broad local filesystem access by design. The path traversal (CWE-22) is trivially exploitable by anyone who can invoke the tool — including adversaries who have achieved prompt injection — and no compensating controls exist in unpatched versions. Teams running openclaw should upgrade immediately to version 2026.4.14; if patching is not immediately possible, disable screen recording tool access or restrict agent filesystem permissions via OS-level controls.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

Medium overall, but effective exploitability is high for anyone with authorized agent access. The path traversal is mechanically trivial — no AI/ML expertise required, just a crafted outPath value. Blast radius is constrained by 4 direct npm dependents, but the impact per exploit is significant: arbitrary filesystem write from within a trusted agent context. The 135 prior CVEs in this package indicate chronic security debt and should elevate scores in any vendor or dependency risk assessment program.

How does the attack unfold?

Initial Access

Adversary gains ability to invoke openclaw agent tools via direct session access or through prompt injection embedded in a malicious code repository or ingested document.

AML.T0051

Exploitation

Adversary crafts a screen_record tool call with outPath containing path traversal sequences (e.g., '../../.ssh/authorized_keys'), bypassing the workspace-root guard due to the missing validation on the outPath parameter.

AML.T0053

Workspace Escape

The agent process writes to the attacker-specified path outside the workspace boundary, breaking out of the intended filesystem sandbox with the agent's full OS-level permissions.

AML.T0105

Impact

Adversary achieves arbitrary file write on the host — enabling SSH key injection for persistence, credential theft, or supply chain poisoning of build artifacts consumed downstream.

AML.T0086

Initial Access

Adversary gains ability to invoke openclaw agent tools via direct session access or through prompt injection embedded in a malicious code repository or ingested document.

AML.T0051

Exploitation

Adversary crafts a screen_record tool call with outPath containing path traversal sequences (e.g., '../../.ssh/authorized_keys'), bypassing the workspace-root guard due to the missing validation on the outPath parameter.

AML.T0053

Workspace Escape

The agent process writes to the attacker-specified path outside the workspace boundary, breaking out of the intended filesystem sandbox with the agent's full OS-level permissions.

AML.T0105

Impact

Adversary achieves arbitrary file write on the host — enabling SSH key injection for persistence, credential theft, or supply chain poisoning of build artifacts consumed downstream.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.10	`2026.4.10`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade to openclaw 2026.4.14 (latest stable, includes fix from 2026.4.10).
If patching is delayed, disable or restrict the screen_record tool in agent configuration.
Apply OS-level filesystem restrictions (chroot, seccomp, AppArmor) to contain the agent process scope.
Audit recent agent logs for screen_record invocations with outPath values containing '../' sequences or absolute paths outside the workspace root.
Review all openclaw tool invocations in CI/CD pipelines for suspicious path patterns. Detection query: grep agent logs for screen_record tool calls where outPath does not begin with the designated workspace root directory.

How is it classified?

Auth Bypass Code Execution Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0053 - AI Agent Tool Invocation AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0105 - Escape to Host AML.T0112.000 - Local AI Agent

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.5 - AI System Security

NIST AI RMF

MANAGE 2.2 - Risk Treatments — Security Controls for AI Systems

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-jf25-7968-h2h5?

openclaw's screen recording tool failed to apply the workspace-root boundary check to outPath parameters, allowing any authorized tool invocation to write files anywhere on the host filesystem. With 135 prior CVEs in the same package, this reflects a recurring pattern of inadequate sandbox enforcement in an AI coding agent that operates with broad local filesystem access by design. The path traversal (CWE-22) is trivially exploitable by anyone who can invoke the tool — including adversaries who have achieved prompt injection — and no compensating controls exist in unpatched versions. Teams running openclaw should upgrade immediately to version 2026.4.14; if patching is not immediately possible, disable screen recording tool access or restrict agent filesystem permissions via OS-level controls.

Is GHSA-jf25-7968-h2h5 actively exploited?

No confirmed active exploitation of GHSA-jf25-7968-h2h5 has been reported, but organizations should still patch proactively.

How to fix GHSA-jf25-7968-h2h5?

1. Upgrade to openclaw 2026.4.14 (latest stable, includes fix from 2026.4.10). 2. If patching is delayed, disable or restrict the screen_record tool in agent configuration. 3. Apply OS-level filesystem restrictions (chroot, seccomp, AppArmor) to contain the agent process scope. 4. Audit recent agent logs for screen_record invocations with outPath values containing '../' sequences or absolute paths outside the workspace root. 5. Review all openclaw tool invocations in CI/CD pipelines for suspicious path patterns. Detection query: grep agent logs for screen_record tool calls where outPath does not begin with the designated workspace root directory.

What systems are affected by GHSA-jf25-7968-h2h5?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI development tooling, local AI agents, agentic coding environments, CI/CD pipelines using AI agents.

What is the CVSS score for GHSA-jf25-7968-h2h5?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI development toolinglocal AI agentsagentic coding environmentsCI/CD pipelines using AI agents

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0053 AI Agent Tool Invocation

AML.T0086 Exfiltration via AI Agent Tool Invocation

AML.T0105 Escape to Host

AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

## Summary screen_record outPath bypassed workspace-only filesystem guard. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The node-host screen recording tool could honor an `outPath` outside the workspace guard, allowing an authorized tool call to write outside the intended workspace boundary. ## Technical Details The fix applies the workspace-root guard to node tool `outPath` handling, including screen recording paths. ## Fix The issue was fixed in #63551. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `635bb35b68d8faa5bfa2fda35feadd315122748a` - PR: #63551 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @anshumanbh for reporting this issue.

Exploitation Scenario

An adversary with access to an openclaw agent session — via direct access or successful prompt injection embedded in a malicious code repository — crafts a screen_record tool call with outPath set to '../../.ssh/authorized_keys' or '../../.bashrc'. The workspace guard, which normally restricts writes to the workspace directory, fails to validate this parameter. The tool executes and writes attacker-controlled content to the target host path. In a CI/CD context, a malicious pull request could contain a prompt injection payload that triggers this tool call, enabling persistence on the build server or poisoning of build artifacts consumed by downstream systems.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-863 Incorrect Authorization Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.