GHSA-qqq7-4hxc-x63c — MEDIUM AI Security Vulnerability

CISO Take

OpenClaw, a local AI assistant, fails to validate shared reply MEDIA paths before treating them as trusted generated media — allowing a crafted reference to cause a second channel to silently read arbitrary local files. While OpenClaw is scoped to individual user machines and has no multi-tenant boundary, this vulnerability directly enables sensitive file exfiltration (SSH keys, .env files, config with credentials) without any user interaction beyond receiving a crafted shared reply. The package carries 60 prior CVEs and its skills ecosystem was independently linked to AMOS credential stealer delivery (AIID #1368), indicating an active adversary interest in OpenClaw as an exfiltration vector. Organizations running OpenClaw should patch immediately to version 2026.4.8 and audit any shared reply integrations for unexpected MEDIA path references.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium risk in isolation, elevated in context. No EPSS data is available and there is no KEV listing or public exploit. However, the vulnerability requires minimal sophistication — a crafted MEDIA reference string — and targets a class of files (local FS) with disproportionate blast radius on developer and security workstations where AI agents are commonly deployed. The prior history of 60 CVEs in this package and confirmed malicious skill distribution in the OpenClaw ecosystem suggests active adversary targeting.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Patch: upgrade openclaw npm package to >=2026.4.8 immediately. The fix commit is d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
Workaround (if immediate patching is not possible): disable shared reply MEDIA features or isolate OpenClaw to a restricted-permission OS user with minimal file system access.
Detection: audit OpenClaw logs for MEDIA path references that point to local filesystem paths (file:// or absolute paths) rather than generated media buffers.
Scope review: inventory all OpenClaw deployments in your org, particularly on developer or security workstations where sensitive files (SSH keys, .env, cloud credentials) reside.
Validate installed skills against known-good sources — cross-reference against AIID #1368 malicious skills pattern.

Classification

Data Extraction Privacy Violation Agent Plugin AML.T0037 - Data from Local System AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning AML.T0086 - Exfiltration via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - AI system input controls

NIST AI RMF

MANAGE 2.2 - Risk treatment and response for AI systems

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

Both this CVE and AIID #1368 involve OpenClaw as the attack surface and credential/file exfiltration as the outcome. The malicious skills ecosystem documented in #1368 could leverage this MEDIA path trust flaw to silently exfiltrate local credentials, making this vulnerability a potential technical enabler of the same attack class.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-qqq7-4hxc-x63c?

OpenClaw, a local AI assistant, fails to validate shared reply MEDIA paths before treating them as trusted generated media — allowing a crafted reference to cause a second channel to silently read arbitrary local files. While OpenClaw is scoped to individual user machines and has no multi-tenant boundary, this vulnerability directly enables sensitive file exfiltration (SSH keys, .env files, config with credentials) without any user interaction beyond receiving a crafted shared reply. The package carries 60 prior CVEs and its skills ecosystem was independently linked to AMOS credential stealer delivery (AIID #1368), indicating an active adversary interest in OpenClaw as an exfiltration vector. Organizations running OpenClaw should patch immediately to version 2026.4.8 and audit any shared reply integrations for unexpected MEDIA path references.

Is GHSA-qqq7-4hxc-x63c actively exploited?

No confirmed active exploitation of GHSA-qqq7-4hxc-x63c has been reported, but organizations should still patch proactively.

How to fix GHSA-qqq7-4hxc-x63c?

1. Patch: upgrade openclaw npm package to >=2026.4.8 immediately. The fix commit is d7c3210cd6f5fdfdc1beff4c9541673e814354d5. 2. Workaround (if immediate patching is not possible): disable shared reply MEDIA features or isolate OpenClaw to a restricted-permission OS user with minimal file system access. 3. Detection: audit OpenClaw logs for MEDIA path references that point to local filesystem paths (file:// or absolute paths) rather than generated media buffers. 4. Scope review: inventory all OpenClaw deployments in your org, particularly on developer or security workstations where sensitive files (SSH keys, .env, cloud credentials) reside. 5. Validate installed skills against known-good sources — cross-reference against AIID #1368 malicious skills pattern.

What systems are affected by GHSA-qqq7-4hxc-x63c?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI assistants, multi-modal AI pipelines.

What is the CVSS score for GHSA-qqq7-4hxc-x63c?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact Shared reply MEDIA: paths are treated as trusted and can trigger cross-channel local file exfiltration. A crafted shared reply MEDIA reference could cause another channel to read a local file path as trusted generated media. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.4` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @threalwinky for reporting.

Exploitation Scenario

An adversary distributes a malicious OpenClaw skill or crafts a poisoned shared conversation context containing a MEDIA reply reference pointing to a high-value local file (e.g., ~/.aws/credentials, ~/.ssh/id_rsa, or a .env file containing API keys). When the victim's OpenClaw instance processes this reference in another channel — such as a multi-modal reply or shared session — it reads the referenced path as trusted generated media output and surfaces its contents. The adversary, who controls the originating channel or a connected exfiltration endpoint (e.g., a malicious skill with outbound network access), receives the file contents without triggering standard file-access alerts. This chains naturally with the AMOS stealer distribution pattern seen in the OpenClaw skills ecosystem.