AI Threat Alert

GHSA-qmwg-qprg-3j38: openclaw: CDP pivot bypasses file:// navigation guards

GHSA-qmwg-qprg-3j38 MEDIUM
Published April 17, 2026
CISO Take

openclaw's browser automation feature contains a protection mechanism failure (CWE-693) that allows specially crafted act/evaluate interactions to navigate the browser agent into the local Chrome DevTools Protocol (CDP) origin, then onward to arbitrary file:// URLs — silently bypassing the package's own navigation policy guards. For teams running openclaw-based AI agents on developer workstations, CI/CD runners, or automation infrastructure, this means an adversary who can influence agent inputs — via prompt injection or a malicious web page the agent visits — could read SSH keys, API credentials, .env files, or source code from the host filesystem. With 135 prior CVEs in this package alone, openclaw carries significant systemic security debt, and the 4 downstream npm dependents compound supply chain exposure. Patch to openclaw >= 2026.4.9 immediately; if patching is blocked, sandbox agent execution with OS-level filesystem isolation and restrict outbound network from agent processes.

Sources: GitHub Advisory ATLAS

What is the risk?

Rated medium by CVSS but functionally HIGH for AI agent deployments. The attack path — influence agent inputs, trigger CDP pivot, read arbitrary files — is mechanically straightforward once an attacker controls what the agent browses or processes. No public exploit exists and EPSS data is unavailable, but the technique maps cleanly to prompt injection delivery, which is well-documented against browser-use agents. The combination of file read capability and an AI agent's inherent network connectivity creates a reliable exfiltration path. The package's 135-CVE history indicates persistent security debt rather than isolated incidents, raising the likelihood that this is part of a broader attack surface.

How does the attack unfold?

Agent Input Injection
Attacker delivers a malicious payload via a web page the agent visits or through a prompt injection in the agent's task input, targeting openclaw's browser act/evaluate interface.
AML.T0051.001
CDP Origin Pivot
The crafted browser interaction triggers navigation to the local Chrome DevTools Protocol (CDP) origin, bypassing openclaw's direct navigation guards due to CWE-693.
AML.T0105
Filesystem Read
From the CDP context, attacker navigates to file:// URLs targeting SSH keys, .env files, cloud credentials, and other sensitive data on the host filesystem.
AML.T0037
Data Exfiltration
Extracted file contents are transmitted to an attacker-controlled endpoint via browser fetch/XHR calls within the same session, bypassing host-level file access monitoring.
AML.T0086

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm < 2026.4.9 2026.4.9
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

1 step

  1. 1) Upgrade openclaw to >= 2026.4.9 (first stable fix) or 2026.4.14 (latest) — verify the fix commit 5f5b3d7 is present. 2) If immediate patching is blocked, sandbox agent execution: run openclaw in Docker with read-only filesystem mounts, explicit volume exclusions for ~/.ssh, ~/.aws, ~/.config, and .env files, and drop CAP_DAC_READ_SEARCH. 3) Audit all callers of browser act() and evaluate() methods for untrusted or user-controlled input paths. 4) Implement network egress controls on agent infrastructure — agents should not be able to initiate outbound connections to arbitrary external hosts. 5) Enable browser process monitoring for navigation events containing 'chrome://devtools' or 'file://' patterns. 6) Review openclaw's 135-CVE history and assess whether continued use is justified given the attack surface.

How is it classified?

Data Extraction Auth Bypass Agent Plugin AML.T0037 AML.T0049 AML.T0053 AML.T0105

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
6.1.2 - AI risk assessment 8.2 - AI system processes — data and security
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to inventory AI systems and manage associated risks
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-qmwg-qprg-3j38?

openclaw's browser automation feature contains a protection mechanism failure (CWE-693) that allows specially crafted act/evaluate interactions to navigate the browser agent into the local Chrome DevTools Protocol (CDP) origin, then onward to arbitrary file:// URLs — silently bypassing the package's own navigation policy guards. For teams running openclaw-based AI agents on developer workstations, CI/CD runners, or automation infrastructure, this means an adversary who can influence agent inputs — via prompt injection or a malicious web page the agent visits — could read SSH keys, API credentials, .env files, or source code from the host filesystem. With 135 prior CVEs in this package alone, openclaw carries significant systemic security debt, and the 4 downstream npm dependents compound supply chain exposure. Patch to openclaw >= 2026.4.9 immediately; if patching is blocked, sandbox agent execution with OS-level filesystem isolation and restrict outbound network from agent processes.

Is GHSA-qmwg-qprg-3j38 actively exploited?

No confirmed active exploitation of GHSA-qmwg-qprg-3j38 has been reported, but organizations should still patch proactively.

How to fix GHSA-qmwg-qprg-3j38?

1) Upgrade openclaw to >= 2026.4.9 (first stable fix) or 2026.4.14 (latest) — verify the fix commit 5f5b3d7 is present. 2) If immediate patching is blocked, sandbox agent execution: run openclaw in Docker with read-only filesystem mounts, explicit volume exclusions for ~/.ssh, ~/.aws, ~/.config, and .env files, and drop CAP_DAC_READ_SEARCH. 3) Audit all callers of browser act() and evaluate() methods for untrusted or user-controlled input paths. 4) Implement network egress controls on agent infrastructure — agents should not be able to initiate outbound connections to arbitrary external hosts. 5) Enable browser process monitoring for navigation events containing 'chrome://devtools' or 'file://' patterns. 6) Review openclaw's 135-CVE history and assess whether continued use is justified given the attack surface.

What systems are affected by GHSA-qmwg-qprg-3j38?

This vulnerability affects the following AI/ML architecture patterns: browser automation agents, agent frameworks, CI/CD automation pipelines, AI web browsing agents.

What is the CVSS score for GHSA-qmwg-qprg-3j38?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

browser automation agentsagent frameworksCI/CD automation pipelinesAI web browsing agents

MITRE ATLAS Techniques

AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: 6.1.2, 8.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

## Summary Browser interaction routes could pivot into local CDP and regain file reads. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.9` - Patched versions: `>= 2026.4.9` ## Impact Browser act/evaluate interactions could trigger navigation into the local CDP origin and then create or read disallowed `file://` pages despite direct navigation guards. ## Technical Details The fix re-checks browser URLs after interaction-driven navigations and blocks targets that violate the configured navigation policy. ## Fix The issue was fixed in #63226. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `5f5b3d733bdd791cb457f838514179e1288b10b3` - PR: #63226 ## Release Process Note Users should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @tdjackey for reporting this issue.

Exploitation Scenario

An adversary targets an organization using an openclaw-based AI research agent that autonomously browses web pages. The attacker embeds a malicious payload in a publicly accessible web page — or injects it via a prompt injection in the agent's task input — that triggers a browser evaluate() call navigating to the local CDP endpoint (e.g., chrome://devtools/devtools.html). From the CDP origin, the attacker uses subsequent navigation to craft file:// requests reading ~/.ssh/id_rsa, application .env files containing cloud API keys, or CI/CD runner credential stores. The browser transmits the file contents to an attacker-controlled domain via an XMLHttpRequest or fetch call within the same browser session, bypassing host-level file access monitoring since the operation originates from the browser process. The entire chain executes within a single agent task iteration with no user interaction required.

Weaknesses (CWE)

CWE-693 Protection Mechanism Failure Primary

CWE-693 — Protection Mechanism Failure: The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Source: MITRE CWE corpus.

References

Timeline

Published
April 17, 2026
Last Modified
April 17, 2026
First Seen
April 18, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33579 9.9

OpenClaw: scope bypass escalates low-priv to admin

Same package: openclaw
CRITICAL CVE-2026-32922 9.9

OpenClaw: privilege escalation to RCE via token scope bypass

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-32038 9.8

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
Back to Threat Feed