GHSA-qx8j-g322-qj6m — HIGH AI Security Vulnerability

Q: Is GHSA-qx8j-g322-qj6m actively exploited?

No confirmed active exploitation of GHSA-qx8j-g322-qj6m has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-qx8j-g322-qj6m?

1. Patch immediately: upgrade openclaw to version 2026.4.8 (verified fixed tree: commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5). 2. Audit installed skills: review all third-party OpenClaw skills for suspicious redirect patterns or external URL calls, given the documented malicious skills ecosystem. 3. Rotate credentials: if openclaw agents have been making authenticated HTTP requests prior to patching, treat associated API keys, bearer tokens, and session credentials as potentially compromised. 4. Network-layer detection: inspect outbound HTTP traffic from OpenClaw processes for unexpected cross-origin POST requests or credential-bearing redirects. 5. Least-privilege: restrict the API scopes and credentials available to OpenClaw agents to the minimum required for their tasks.

Q: What systems are affected by GHSA-qx8j-g322-qj6m?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI assistants, AI agent tool integrations.

Q: What is the CVSS score for GHSA-qx8j-g322-qj6m?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's `fetchWithSsrFGuard` function fails to strip sensitive HTTP headers and request bodies before following cross-origin redirects, meaning an AI agent workflow can inadvertently forward authorization tokens, session credentials, or POST payloads to unintended third-party origins. While the advisory scopes this to OpenClaw's local, user-controlled trust model (no multi-tenant blast radius), AI agents routinely carry bearer tokens and API keys in outbound requests — making credential exfiltration the realistic worst case if a redirect chain passes through an attacker-controlled host. With 60 CVEs already on record in this package and a documented malicious skills ecosystem (AIID #1368, where ~17% of third-party skills were flagged as malicious), the risk of a skill chaining this into a credential-theft attack is non-trivial. Upgrade to openclaw 2026.4.8 (commit d7c3210) immediately; there is no viable workaround short of patching.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium-High. The vulnerability is scoped to local deployments and carries no EPSS score or KEV listing, suggesting low opportunistic exploitation activity today. However, the broader OpenClaw ecosystem context elevates risk significantly: the package has 60 known CVEs and a documented history of malicious third-party skills. An adversary who controls a redirect target (via a malicious skill, a poisoned URL in a task, or a prompt injection) can passively harvest credentials with no user interaction beyond normal agent operation. The absence of CVSS vector data prevents precise scoring, but the CWE-345 weakness class combined with AI agent autonomy shifts this toward high operational risk for any team using OpenClaw with credentialed API access.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Patch immediately: upgrade openclaw to version 2026.4.8 (verified fixed tree: commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5).
Audit installed skills: review all third-party OpenClaw skills for suspicious redirect patterns or external URL calls, given the documented malicious skills ecosystem.
Rotate credentials: if openclaw agents have been making authenticated HTTP requests prior to patching, treat associated API keys, bearer tokens, and session credentials as potentially compromised.
Network-layer detection: inspect outbound HTTP traffic from OpenClaw processes for unexpected cross-origin POST requests or credential-bearing redirects.
Least-privilege: restrict the API scopes and credentials available to OpenClaw agents to the minimum required for their tasks.

Classification

Data Extraction Auth Bypass Supply Chain Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0110 - AI Agent Tool Poisoning

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

8.4 - AI system operation A.6.2.5 - Information security in AI system supply chain

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI system trustworthiness MANAGE-4.1 - Residual risks are monitored and managed

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors high confidence

The malicious OpenClaw skills ecosystem documented in AIID #1368 is a directly plausible delivery vector for exploiting this vulnerability — a malicious skill triggering a redirect to an attacker-controlled server would harvest credentials via the fetch guard bypass, extending the same credential exfiltration attack class documented in the incident.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-qx8j-g322-qj6m?

OpenClaw's `fetchWithSsrFGuard` function fails to strip sensitive HTTP headers and request bodies before following cross-origin redirects, meaning an AI agent workflow can inadvertently forward authorization tokens, session credentials, or POST payloads to unintended third-party origins. While the advisory scopes this to OpenClaw's local, user-controlled trust model (no multi-tenant blast radius), AI agents routinely carry bearer tokens and API keys in outbound requests — making credential exfiltration the realistic worst case if a redirect chain passes through an attacker-controlled host. With 60 CVEs already on record in this package and a documented malicious skills ecosystem (AIID #1368, where ~17% of third-party skills were flagged as malicious), the risk of a skill chaining this into a credential-theft attack is non-trivial. Upgrade to openclaw 2026.4.8 (commit d7c3210) immediately; there is no viable workaround short of patching.

Is GHSA-qx8j-g322-qj6m actively exploited?

No confirmed active exploitation of GHSA-qx8j-g322-qj6m has been reported, but organizations should still patch proactively.

How to fix GHSA-qx8j-g322-qj6m?

1. Patch immediately: upgrade openclaw to version 2026.4.8 (verified fixed tree: commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5). 2. Audit installed skills: review all third-party OpenClaw skills for suspicious redirect patterns or external URL calls, given the documented malicious skills ecosystem. 3. Rotate credentials: if openclaw agents have been making authenticated HTTP requests prior to patching, treat associated API keys, bearer tokens, and session credentials as potentially compromised. 4. Network-layer detection: inspect outbound HTTP traffic from OpenClaw processes for unexpected cross-origin POST requests or credential-bearing redirects. 5. Least-privilege: restrict the API scopes and credentials available to OpenClaw agents to the minimum required for their tasks.

What systems are affected by GHSA-qx8j-g322-qj6m?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI assistants, AI agent tool integrations.

What is the CVSS score for GHSA-qx8j-g322-qj6m?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects. A guarded fetch could resend unsafe request bodies or headers when following cross-origin redirects. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<2026.3.31` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @BG0ECV for reporting.

Exploitation Scenario

An attacker publishes a seemingly useful OpenClaw skill to ClawHub (the third-party skill marketplace). The skill instructs the agent to call a legitimate-looking API endpoint — for example, a productivity tool integration. The attacker's server responds with a 302 redirect to an attacker-controlled domain. Due to the `fetchWithSsrFGuard` vulnerability, OpenClaw replays the original request including its Authorization header and POST body to the attacker's server. The attacker silently harvests the credential and uses it to access the victim's connected services (cloud APIs, SaaS platforms, internal tooling). The victim sees normal agent operation with no visible anomaly, and the skill deletes itself after execution. This scenario directly parallels the documented AIID #1368 attack pattern using OpenClaw's skills ecosystem.