GHSA-p73f-w79w-jqr5: OpenClaw: owner-command auth bypass via native cmds

GHSA-p73f-w79w-jqr5 HIGH
Published July 2, 2026
CISO Take

OpenClaw, an AI agent gateway, shipped a flaw (CWE-863, Incorrect Authorization) where the native command handler could execute an owner-only command without enforcing the configured owner-only policy, letting a lower-trust sender run privileged actions on the agent. There is no public exploit and no Nuclei template, and it is not in CISA KEV, so opportunistic mass exploitation is unlikely today — but the bug requires no special skill once understood, only that the native command feature is enabled and reachable by an untrusted sender, which is a common setup when one Gateway is shared across a team or community. The package's track record adds context: 425 other CVEs are recorded against openclaw and its risk score is 0/100, suggesting a component with a broad, recurring attack surface, even though only 4 downstream dependents are currently tracked. Patch to 2026.5.6 immediately; until then, restrict native command surfaces to trusted senders, disable the feature if unused, and avoid sharing one Gateway between mutually untrusted users. Detection teams should audit command logs for owner-privileged actions (config changes, exec, shutdown) originating from non-owner sender identities during the exposure window.

Sources: GitHub Advisory ATLAS

What is the risk?

Rated high severity on CWE-863 (Incorrect Authorization) but with mitigating exploitation signals: no CVSS/EPSS scoring yet, no CISA KEV listing, no known public exploit or scanner template. Actual risk is highly configuration-dependent — exploitability requires the native command feature to be enabled and reachable by a sender who should not hold owner privileges, meaning single-owner or fully trusted-operator deployments are largely unaffected. Where OpenClaw gateways are shared across teams, communities, or externally-facing channels, the risk is materially higher because any participant able to trigger native command handling could escalate to owner-level actions. The package's broader history (425 other CVEs, OpenSSF/risk score 0/100) signals weak overall security hygiene in this component, which should raise baseline scrutiny of any deployment.

How does the attack unfold?

Initial Access
A non-owner sender with access to the shared OpenClaw gateway's channel sends a message intended to trigger native command handling.
AML.T0053
Authorization Bypass
The native command handler processes the request without enforcing the configured owner-only policy check, due to CWE-863.
Privileged Execution
The command executes with owner-level privileges even though it originated from an untrusted sender.
AML.T0108
Impact
The attacker abuses the elevated command to disrupt, reconfigure, or otherwise act on the agent and its connected systems beyond their intended trust level.
AML.T0081

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm <= 2026.5.5 2026.5.6
4 dependents 41% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

1 step
  1. 1) Patch to openclaw 2026.5.6 or later immediately. 2) Until patched, disable the native command feature if it is not required. 3) Restrict native command surfaces to explicitly trusted senders only; keep channel and tool allowlists as narrow as possible. 4) Never share a single Gateway instance between mutually untrusted users/tenants — segment deployments per trust boundary. 5) Detection: review logs for owner-privileged command executions (config changes, shutdown, exec-type actions) triggered by sender identities that are not the configured owner, particularly in the window before the patch was applied. 6) After patching, re-verify that owner-only command policy enforcement behaves as expected via a test message from a non-owner identity.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - Access control for AI system elements
NIST AI RMF
MANAGE 4.1 - AI system risks from third-party or unauthorized access are managed
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-p73f-w79w-jqr5?

OpenClaw, an AI agent gateway, shipped a flaw (CWE-863, Incorrect Authorization) where the native command handler could execute an owner-only command without enforcing the configured owner-only policy, letting a lower-trust sender run privileged actions on the agent. There is no public exploit and no Nuclei template, and it is not in CISA KEV, so opportunistic mass exploitation is unlikely today — but the bug requires no special skill once understood, only that the native command feature is enabled and reachable by an untrusted sender, which is a common setup when one Gateway is shared across a team or community. The package's track record adds context: 425 other CVEs are recorded against openclaw and its risk score is 0/100, suggesting a component with a broad, recurring attack surface, even though only 4 downstream dependents are currently tracked. Patch to 2026.5.6 immediately; until then, restrict native command surfaces to trusted senders, disable the feature if unused, and avoid sharing one Gateway between mutually untrusted users. Detection teams should audit command logs for owner-privileged actions (config changes, exec, shutdown) originating from non-owner sender identities during the exposure window.

Is GHSA-p73f-w79w-jqr5 actively exploited?

No confirmed active exploitation of GHSA-p73f-w79w-jqr5 has been reported, but organizations should still patch proactively.

How to fix GHSA-p73f-w79w-jqr5?

1) Patch to openclaw 2026.5.6 or later immediately. 2) Until patched, disable the native command feature if it is not required. 3) Restrict native command surfaces to explicitly trusted senders only; keep channel and tool allowlists as narrow as possible. 4) Never share a single Gateway instance between mutually untrusted users/tenants — segment deployments per trust boundary. 5) Detection: review logs for owner-privileged command executions (config changes, shutdown, exec-type actions) triggered by sender identities that are not the configured owner, particularly in the window before the patch was applied. 6) After patching, re-verify that owner-only command policy enforcement behaves as expected via a test message from a non-owner identity.

What systems are affected by GHSA-p73f-w79w-jqr5?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant agent gateways, chat-integrated AI agents.

What is the CVSS score for GHSA-p73f-w79w-jqr5?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-tenant agent gatewayschat-integrated AI agents

MITRE ATLAS Techniques

AML.T0053 AI Agent Tool Invocation
AML.T0081 Modify AI Agent Configuration
AML.T0108 AI Agent

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2
NIST AI RMF: MANAGE 4.1
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

### Summary Native command authorization could skip owner-command enforcement. In affected versions, a sender able to trigger native command handling could authorize a native command without enforcing the configured owner-only command policy. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. ### Impact When the affected feature is enabled and reachable, this could run an owner-style command from a sender that should not have that command access. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. ### Patched Versions The first stable patched version is `2026.5.6`. ### Mitigations keep native command surfaces limited to trusted senders until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.

Exploitation Scenario

An organization runs a shared OpenClaw agent gateway connected to a team chat channel, with the founder/admin configured as the sole authorized owner for sensitive commands (e.g., restart, reconfigure, or shell-adjacent actions). A regular channel member — or an external party who gains posting access to that channel — sends a message crafted to trigger OpenClaw's native command handling path. Because the owner-only enforcement check is skipped in the affected code path, the agent executes the privileged command as if it came from the owner, allowing the low-trust sender to reconfigure the agent, disrupt its operation, or pivot into other owner-scoped actions the deployment exposes through native commands — all without needing to compromise any credentials.

Weaknesses (CWE)

CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

Timeline

Published
July 2, 2026
Last Modified
July 2, 2026
First Seen
July 2, 2026

Related Vulnerabilities