AI Threat Alert AI Threat Alert

GHSA-q2gc-xjqw-qp89: OpenClaw: eval approval bypass enables unintended code exec

GHSA-q2gc-xjqw-qp89 MEDIUM
Published April 9, 2026
CISO Take

OpenClaw's strictInlineEval security boundary — designed to gate inline eval commands behind explicit user approval — can be bypassed when the approval-timeout fallback triggers on gateway and node exec hosts, allowing eval to proceed without user consent. While OpenClaw is scoped to a local, user-controlled trust model and carries a medium severity rating with no active exploitation (not in CISA KEV, EPSS unavailable), the same codebase has accumulated 60 CVEs and researchers have documented malicious third-party skill abuse in the OpenClaw ecosystem — meaning attacker attention is established and the attack surface is real. Organizations or developers running OpenClaw in any automated or agent-pipeline context should upgrade to version 2026.4.8 immediately; no workaround exists for the bypass itself.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium risk in isolated, user-controlled deployments, but escalates materially in automated agent pipelines or environments where malicious skills or external inputs can interact with the agent. The timeout-triggered fallback is a logic flaw requiring no special privileges — any trigger that causes the approval flow to time out is sufficient to bypass the control. The 60-CVE history of the package and documented third-party skill abuse (AIID #1368) indicate this is an actively targeted attack surface where chained exploitation is realistic.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw npm < 2026.4.8 2026.4.8

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

Recommended Action

  1. Upgrade openclaw (npm) to 2026.4.8 or later immediately — verify with `npm list openclaw`.
  2. If immediate patching is not possible, disable eval-capable agent features and avoid deploying OpenClaw on gateway or node exec hosts.
  3. Audit all installed third-party skills for malicious content (AIID #1368 documents ~17% malicious skill prevalence in the ClawHub ecosystem).
  4. Monitor for unexpected process spawns, file system writes, or network connections originating from OpenClaw's execution context.
  5. Pin the verified fixed commit (d7c3210cd6f5fdfdc1beff4c9541673e814354d5) in dependency locks if building from source.

Classification

Auth Bypass Code Execution Agent Framework AML.T0010.005 AML.T0050 AML.T0053 AML.T0107 AML.T0112.000

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 14 - Human oversight
ISO 42001
6.1.2 - AI risk treatment
NIST AI RMF
GOVERN 1.2 - Accountability mechanisms for AI risk
OWASP LLM Top 10
LLM01 - Prompt Injection LLM06 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub
Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors high confidence

AIID #1368 documents malicious OpenClaw skills delivering the AMOS credential stealer via the ClawHub ecosystem. This CVE's approval bypass could be exploited by those same malicious skills to execute eval commands without user consent, directly enabling the credential exfiltration attack pattern described in the incident.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-q2gc-xjqw-qp89?

OpenClaw's strictInlineEval security boundary — designed to gate inline eval commands behind explicit user approval — can be bypassed when the approval-timeout fallback triggers on gateway and node exec hosts, allowing eval to proceed without user consent. While OpenClaw is scoped to a local, user-controlled trust model and carries a medium severity rating with no active exploitation (not in CISA KEV, EPSS unavailable), the same codebase has accumulated 60 CVEs and researchers have documented malicious third-party skill abuse in the OpenClaw ecosystem — meaning attacker attention is established and the attack surface is real. Organizations or developers running OpenClaw in any automated or agent-pipeline context should upgrade to version 2026.4.8 immediately; no workaround exists for the bypass itself.

Is GHSA-q2gc-xjqw-qp89 actively exploited?

No confirmed active exploitation of GHSA-q2gc-xjqw-qp89 has been reported, but organizations should still patch proactively.

How to fix GHSA-q2gc-xjqw-qp89?

1. Upgrade openclaw (npm) to 2026.4.8 or later immediately — verify with `npm list openclaw`. 2. If immediate patching is not possible, disable eval-capable agent features and avoid deploying OpenClaw on gateway or node exec hosts. 3. Audit all installed third-party skills for malicious content (AIID #1368 documents ~17% malicious skill prevalence in the ClawHub ecosystem). 4. Monitor for unexpected process spawns, file system writes, or network connections originating from OpenClaw's execution context. 5. Pin the verified fixed commit (d7c3210cd6f5fdfdc1beff4c9541673e814354d5) in dependency locks if building from source.

What systems are affected by GHSA-q2gc-xjqw-qp89?

This vulnerability affects the following AI/ML architecture patterns: Local AI agent deployments, Agent frameworks with tool execution capabilities, Agentic automation pipelines.

What is the CVSS score for GHSA-q2gc-xjqw-qp89?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts. The approval-timeout fallback could allow inline eval commands that strictInlineEval was meant to require explicit approval for. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @zsxsoft and @KeenSecurityLab for reporting.

Exploitation Scenario

An adversary with the ability to introduce a malicious OpenClaw skill via ClawHub crafts a skill that issues inline eval commands and simultaneously degrades the approval gateway's responsiveness — for example, by inducing a network timeout or exploiting a slow-response condition on the host. When the approval timeout is reached, the fallback mechanism allows the eval to execute without user confirmation. The malicious code runs in the OpenClaw process context, potentially exfiltrating credentials, establishing persistence, or pivoting to other local resources — directly mirroring the AMOS stealer credential exfiltration pattern documented in AIID #1368.

Weaknesses (CWE)

CWE-20 Improper Input Validation Primary

References

Timeline

Published
April 9, 2026
Last Modified
April 9, 2026
First Seen
April 9, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
Back to Threat Feed