GHSA-q2gc-xjqw-qp89: OpenClaw: eval approval bypass enables unintended code exec
GHSA-q2gc-xjqw-qp89 MEDIUMOpenClaw's strictInlineEval security boundary — designed to gate inline eval commands behind explicit user approval — can be bypassed when the approval-timeout fallback triggers on gateway and node exec hosts, allowing eval to proceed without user consent. While OpenClaw is scoped to a local, user-controlled trust model and carries a medium severity rating with no active exploitation (not in CISA KEV, EPSS unavailable), the same codebase has accumulated 60 CVEs and researchers have documented malicious third-party skill abuse in the OpenClaw ecosystem — meaning attacker attention is established and the attack surface is real. Organizations or developers running OpenClaw in any automated or agent-pipeline context should upgrade to version 2026.4.8 immediately; no workaround exists for the bypass itself.
What is the risk?
Medium risk in isolated, user-controlled deployments, but escalates materially in automated agent pipelines or environments where malicious skills or external inputs can interact with the agent. The timeout-triggered fallback is a logic flaw requiring no special privileges — any trigger that causes the approval flow to time out is sufficient to bypass the control. The 60-CVE history of the package and documented third-party skill abuse (AIID #1368) indicate this is an actively targeted attack surface where chained exploitation is realistic.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | < 2026.4.8 | 2026.4.8 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Upgrade openclaw (npm) to 2026.4.8 or later immediately — verify with
npm list openclaw. -
If immediate patching is not possible, disable eval-capable agent features and avoid deploying OpenClaw on gateway or node exec hosts.
-
Audit all installed third-party skills for malicious content (AIID #1368 documents ~17% malicious skill prevalence in the ClawHub ecosystem).
-
Monitor for unexpected process spawns, file system writes, or network connections originating from OpenClaw's execution context.
-
Pin the verified fixed commit (d7c3210cd6f5fdfdc1beff4c9541673e814354d5) in dependency locks if building from source.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-q2gc-xjqw-qp89?
OpenClaw's strictInlineEval security boundary — designed to gate inline eval commands behind explicit user approval — can be bypassed when the approval-timeout fallback triggers on gateway and node exec hosts, allowing eval to proceed without user consent. While OpenClaw is scoped to a local, user-controlled trust model and carries a medium severity rating with no active exploitation (not in CISA KEV, EPSS unavailable), the same codebase has accumulated 60 CVEs and researchers have documented malicious third-party skill abuse in the OpenClaw ecosystem — meaning attacker attention is established and the attack surface is real. Organizations or developers running OpenClaw in any automated or agent-pipeline context should upgrade to version 2026.4.8 immediately; no workaround exists for the bypass itself.
Is GHSA-q2gc-xjqw-qp89 actively exploited?
No confirmed active exploitation of GHSA-q2gc-xjqw-qp89 has been reported, but organizations should still patch proactively.
How to fix GHSA-q2gc-xjqw-qp89?
1. Upgrade openclaw (npm) to 2026.4.8 or later immediately — verify with `npm list openclaw`. 2. If immediate patching is not possible, disable eval-capable agent features and avoid deploying OpenClaw on gateway or node exec hosts. 3. Audit all installed third-party skills for malicious content (AIID #1368 documents ~17% malicious skill prevalence in the ClawHub ecosystem). 4. Monitor for unexpected process spawns, file system writes, or network connections originating from OpenClaw's execution context. 5. Pin the verified fixed commit (d7c3210cd6f5fdfdc1beff4c9541673e814354d5) in dependency locks if building from source.
What systems are affected by GHSA-q2gc-xjqw-qp89?
This vulnerability affects the following AI/ML architecture patterns: Local AI agent deployments, Agent frameworks with tool execution capabilities, Agentic automation pipelines.
What is the CVSS score for GHSA-q2gc-xjqw-qp89?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.005 AI Agent Tool AML.T0050 Command and Scripting Interpreter AML.T0053 AI Agent Tool Invocation AML.T0107 Exploitation for Defense Evasion AML.T0112.000 Local AI Agent Compliance Controls Affected
What are the technical details?
Original Advisory
## Impact strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts. The approval-timeout fallback could allow inline eval commands that strictInlineEval was meant to require explicit approval for. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @zsxsoft and @KeenSecurityLab for reporting.
Exploitation Scenario
An adversary with the ability to introduce a malicious OpenClaw skill via ClawHub crafts a skill that issues inline eval commands and simultaneously degrades the approval gateway's responsiveness — for example, by inducing a network timeout or exploiting a slow-response condition on the host. When the approval timeout is reached, the fallback mechanism allows the eval to execute without user confirmation. The malicious code runs in the OpenClaw process context, potentially exfiltrating credentials, establishing persistence, or pivoting to other local resources — directly mirroring the AMOS stealer credential exfiltration pattern documented in AIID #1368.
Weaknesses (CWE)
CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- [Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
- [Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw