AI Threat Alert

GHSA-q3jj-46pq-826r: openclaw: ACP child session security envelope bypass

GHSA-q3jj-46pq-826r MEDIUM
Published May 4, 2026
CISO Take

A security boundary failure in OpenClaw allows restricted subagents to spawn ACP child sessions that fail to inherit depth limits, child-count caps, control scope restrictions, and target-agent constraints — effectively escaping the security envelope designed to contain them. This is not an isolated flaw: openclaw carries 135 prior CVEs, signaling systemic security debt in a package sitting inside agentic AI pipelines. While no public exploits exist and the package is absent from CISA KEV, the constraint bypass directly undermines least-privilege controls in multi-agent deployments where different agents operate at different trust levels. Upgrade to openclaw 2026.4.22 immediately and audit any ACP-based agent hierarchies for unauthorized cross-scope activity.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium risk overall, but elevated in complex agentic deployments. Exploitation requires an adversary to already operate as a restricted subagent — limiting initial access requirements — but once inside, the bypass is straightforward: simply spawn an ACP child session. No novel techniques are needed. Impact scales with what the unconstrained child session can reach, which in enterprise multi-agent pipelines with broad tool access could be significant. The pattern of 135 CVEs in openclaw suggests the package's security posture is structurally weak, raising the likelihood that related bypasses exist or will emerge.

How does the attack unfold?

Initial Access
Adversary gains execution as a restricted OpenClaw subagent via prompt injection into agent input, a compromised upstream tool, or a malicious skill published to a public skills registry.
AML.T0051
Constraint Bypass
Restricted subagent invokes ACP spawn to create a child session; on versions <= 2026.4.21, the child is instantiated without inheriting depth limits, child-count caps, or target-agent scope restrictions.
AML.T0107
Scope Escalation
Unconstrained child ACP session operates with broader permissions than the parent subagent was authorized, enabling access to tools, APIs, or data stores explicitly outside the original security envelope.
AML.T0053
Impact
Adversary uses the unconstrained child session for unauthorized actions — data exfiltration, recursive agent spawning beyond permitted tree depth, or lateral movement across agent trust boundaries.
AML.T0086

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm <= 2026.4.21 2026.4.22
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

5 steps

  1. Upgrade openclaw to 2026.4.22 immediately — the fix resolves and persists child subagent envelope fields, enforces maximum depth and active-child caps, and applies inherited control scope to child ACP sessions.

  2. Audit existing ACP-based deployments for child sessions that may have operated without proper constraint inheritance prior to patching.

  3. Review agent orchestration logs for anomalous spawning patterns — subagents spawning children at unexpected depth or outside their designated target scope.

  4. If immediate upgrade is not possible, restrict ACP child session spawning from any subagent operating under reduced permissions as a temporary workaround.

  5. Inventory all direct and transitive dependents of openclaw in your AI stack and confirm they are patched.

How is it classified?

Auth Bypass Code Execution Agent Framework AML.T0053 AML.T0081 AML.T0107 AML.T0108

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.6.2.4 - AI system access control
NIST AI RMF
GOVERN 1.7 - Processes for delineating AI system boundaries
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-q3jj-46pq-826r?

A security boundary failure in OpenClaw allows restricted subagents to spawn ACP child sessions that fail to inherit depth limits, child-count caps, control scope restrictions, and target-agent constraints — effectively escaping the security envelope designed to contain them. This is not an isolated flaw: openclaw carries 135 prior CVEs, signaling systemic security debt in a package sitting inside agentic AI pipelines. While no public exploits exist and the package is absent from CISA KEV, the constraint bypass directly undermines least-privilege controls in multi-agent deployments where different agents operate at different trust levels. Upgrade to openclaw 2026.4.22 immediately and audit any ACP-based agent hierarchies for unauthorized cross-scope activity.

Is GHSA-q3jj-46pq-826r actively exploited?

No confirmed active exploitation of GHSA-q3jj-46pq-826r has been reported, but organizations should still patch proactively.

How to fix GHSA-q3jj-46pq-826r?

1. Upgrade openclaw to 2026.4.22 immediately — the fix resolves and persists child subagent envelope fields, enforces maximum depth and active-child caps, and applies inherited control scope to child ACP sessions. 2. Audit existing ACP-based deployments for child sessions that may have operated without proper constraint inheritance prior to patching. 3. Review agent orchestration logs for anomalous spawning patterns — subagents spawning children at unexpected depth or outside their designated target scope. 4. If immediate upgrade is not possible, restrict ACP child session spawning from any subagent operating under reduced permissions as a temporary workaround. 5. Inventory all direct and transitive dependents of openclaw in your AI stack and confirm they are patched.

What systems are affected by GHSA-q3jj-46pq-826r?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration, agentic pipelines.

What is the CVSS score for GHSA-q3jj-46pq-826r?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent orchestrationagentic pipelines

MITRE ATLAS Techniques

AML.T0053 AI Agent Tool Invocation
AML.T0081 Modify AI Agent Configuration
AML.T0107 Exploitation for Defense Evasion
AML.T0108 AI Agent

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.2.4
NIST AI RMF: GOVERN 1.7
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

## Summary ACP child sessions inherit subagent security envelope constraints. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A restricted subagent spawning an ACP child session could fail to carry forward subagent-only constraints such as depth, child-count limits, control scope, or target-agent restrictions. ## Fix ACP spawn now resolves and persists child subagent envelope fields, enforces maximum depth and active-child caps, and applies the inherited control scope to child ACP sessions. ## Fix Commit(s) - 31160dc069b7cc5d833b39c53736a41ad3befda2 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @zsxsoft, @qclawer, and @KeenSecurityLab for reporting.

Exploitation Scenario

An adversary with execution inside a restricted OpenClaw subagent — achieved via prompt injection into the agent's input, a compromised upstream tool, or a malicious skill published to ClawHub — invokes the ACP spawn mechanism to create a child session. On unpatched versions, the child session is instantiated without inheriting the parent's depth limit, child-count cap, or target-agent restrictions. The adversary then uses this unconstrained child to call external APIs, access data stores explicitly excluded from the parent's control scope, spawn additional agents beyond the permitted tree depth, or perform exfiltration — all actions the original subagent was architecturally prohibited from taking.

Weaknesses (CWE)

CWE-277 Insecure Inherited Permissions Primary

CWE-277 — Insecure Inherited Permissions: A product defines a set of insecure permissions that are inherited by objects that are created by the program.

  • [Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

References

Timeline

Published
May 4, 2026
Last Modified
May 4, 2026
First Seen
May 5, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33579 9.9

OpenClaw: scope bypass escalates low-priv to admin

Same package: openclaw
CRITICAL CVE-2026-32922 9.9

OpenClaw: privilege escalation to RCE via token scope bypass

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-32038 9.8

Analysis pending

Same package: openclaw
Back to Threat Feed