GHSA-jwrq-8g5x-5fhm: OpenClaw auth context reuse

CISO Take

openclaw's collect-mode queue processor bound entire message batches to the final sender's authorization context, meaning a low-privilege actor's queued message could execute with a high-privilege user's credentials if both landed in the same batch. In multi-tenant AI agent deployments — where different users submit requests to a shared agent — this is a straightforward privilege escalation: craft a message targeting a restricted tool or API call, time it to share a batch with an admin user, and inherit their authorization context for free. With 135 CVEs documented in this package, this is not an isolated incident but a pattern of systemic authorization weaknesses in a framework that manages agent tool invocations and external API calls. Upgrade to openclaw >= 2026.4.14 immediately; if patching is not yet possible, disable collect-mode batching and process messages individually with per-message context isolation.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium overall, elevated in multi-user deployments. CWE-863 (Incorrect Authorization) is a structural design flaw, not a misconfiguration — every pre-patch deployment using collect-mode with multiple privilege levels is affected. No public exploit code exists and EPSS data is unavailable, reducing immediate threat probability. However, the exploit logic is intuitive: an attacker needs only queue access and timing awareness, requiring no specialized AI/ML knowledge. The 135 prior CVEs in this package are a significant signal of chronic security debt and justify elevated scrutiny of any openclaw deployment regardless of this specific fix.

How does the attack unfold?

Queue Targeting

Attacker identifies a multi-user openclaw deployment with collect-mode batching enabled and crafts a message targeting a privileged tool invocation they cannot normally authorize.

AML.T0053

Batch Co-location

Attacker times or waits for their message to land in the same collect-mode batch as a high-privilege user's routine message, triggering the authorization context confusion.

AML.T0107

Privilege Inheritance

openclaw resolves the entire batch's authorization to the final (high-privilege) sender's context, causing the attacker's message to execute with admin-level permissions.

Unauthorized Tool Execution

Attacker's message invokes a restricted agent tool — data export, admin API, or file access — under the inherited privileged context, completing the unauthorized action.

AML.T0086

Queue Targeting

Attacker identifies a multi-user openclaw deployment with collect-mode batching enabled and crafts a message targeting a privileged tool invocation they cannot normally authorize.

AML.T0053

Batch Co-location

Attacker times or waits for their message to land in the same collect-mode batch as a high-privilege user's routine message, triggering the authorization context confusion.

AML.T0107

Privilege Inheritance

openclaw resolves the entire batch's authorization to the final (high-privilege) sender's context, causing the attacker's message to execute with admin-level permissions.

Unauthorized Tool Execution

Attacker's message invokes a restricted agent tool — data export, admin API, or file access — under the inherited privileged context, completing the unauthorized action.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.14	`2026.4.14`
4 dependents 36% patched ~3d to patch Full package profile →
OpenClaw	pip	—	No patch
4 dependents 36% patched ~3d to patch Full package profile →

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade openclaw to >= 2026.4.14, which splits collect-mode batches by sender authorization context before dispatch.
If immediate patching is not feasible, disable collect-mode batching entirely and fall back to sequential per-message processing.
Review agent tool access logs for batch dispatch events involving multiple distinct senders — flag any instance where a low-privilege sender's tool invocation succeeded against a normally restricted resource.
Implement per-message authorization context pinning at the infrastructure layer as defense-in-depth.
Audit all openclaw deployments for additional authorization weaknesses given the package's 135-CVE history.

How is it classified?

Auth Bypass Data Extraction Agent Framework AML.T0053 - AI Agent Tool Invocation AML.T0085 - Data from AI Services AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE 3.1 - AI risks from third-party resources are monitored and controlled

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-jwrq-8g5x-5fhm?

openclaw's collect-mode queue processor bound entire message batches to the final sender's authorization context, meaning a low-privilege actor's queued message could execute with a high-privilege user's credentials if both landed in the same batch. In multi-tenant AI agent deployments — where different users submit requests to a shared agent — this is a straightforward privilege escalation: craft a message targeting a restricted tool or API call, time it to share a batch with an admin user, and inherit their authorization context for free. With 135 CVEs documented in this package, this is not an isolated incident but a pattern of systemic authorization weaknesses in a framework that manages agent tool invocations and external API calls. Upgrade to openclaw >= 2026.4.14 immediately; if patching is not yet possible, disable collect-mode batching and process messages individually with per-message context isolation.

Is GHSA-jwrq-8g5x-5fhm actively exploited?

No confirmed active exploitation of GHSA-jwrq-8g5x-5fhm has been reported, but organizations should still patch proactively.

How to fix GHSA-jwrq-8g5x-5fhm?

1. Upgrade openclaw to >= 2026.4.14, which splits collect-mode batches by sender authorization context before dispatch. 2. If immediate patching is not feasible, disable collect-mode batching entirely and fall back to sequential per-message processing. 3. Review agent tool access logs for batch dispatch events involving multiple distinct senders — flag any instance where a low-privilege sender's tool invocation succeeded against a normally restricted resource. 4. Implement per-message authorization context pinning at the infrastructure layer as defense-in-depth. 5. Audit all openclaw deployments for additional authorization weaknesses given the package's 135-CVE history.

What systems are affected by GHSA-jwrq-8g5x-5fhm?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant AI agent deployments, AI orchestration pipelines.

What is the CVSS score for GHSA-jwrq-8g5x-5fhm?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-tenant AI agent deploymentsAI orchestration pipelines

MITRE ATLAS Techniques

AML.T0053 AI Agent Tool Invocation

AML.T0085 Data from AI Services

AML.T0086 Exfiltration via AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: 8.4

NIST AI RMF: MANAGE 3.1

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

## Summary Collect-mode queue batches could reuse the last sender authorization context. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact Collect-mode queued messages from different senders could be drained as one batch using the final sender's authorization context, allowing earlier messages to inherit a more privileged context. ## Technical Details The fix splits collect-mode batches by sender authorization context before dispatch, preserving each message's own trust state. ## Fix The issue was fixed in #66024. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `43d4be902755c970b3d15608679761877718da69` - PR: #66024 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An attacker with a low-privilege account in a shared enterprise openclaw deployment identifies that the system uses collect-mode batching. They craft a message instructing the agent to export a sensitive dataset or call an admin API endpoint — an action blocked for their account under normal authorization. They submit this message to the queue, then monitor for or wait until a high-privilege user (e.g., an admin running a scheduled task) submits their own routine message. Both messages land in the same collect-mode batch; openclaw resolves the batch authorization to the admin's context. The attacker's message executes as the admin, successfully triggering the privileged tool call and exfiltrating the data before the batch is cleared.

Weaknesses (CWE)

CWE-863 Incorrect Authorization Primary

CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.