GHSA-r77c-2cmr-7p47: OpenClaw group policy bypass

CISO Take

openclaw versions 2026.4.10 through 2026.4.13 fail to persist group tool-policy context in the delivery queue, allowing recovered media to replay after a restart without the authorization checks that govern what an AI agent can do and to whom. While rated low severity with no public exploit or KEV listing, the flaw directly undermines the policy enforcement layer in AI agent deployments — and in the context of openclaw's documented third-party skills ecosystem (see AIID #1368, where ~17% of skills were assessed as malicious), any weakening of policy controls is a compounding risk. This package also carries 135 prior CVEs, warranting elevated supply-chain scrutiny regardless of per-issue severity. Teams running openclaw-based agent infrastructure should upgrade to 2026.4.14 immediately and audit delivery queue recovery events from the affected version window.

Sources: GitHub Advisory ATLAS

What is the risk?

Low immediate risk: no public exploit available, EPSS not scored, absent from CISA KEV, and only 4 downstream npm dependents limit blast radius. However, the flaw undermines a critical trust boundary — group tool-policy enforcement — in AI agent systems. The 135 historical CVEs in this package signal systemic security debt requiring supply-chain scrutiny. Risk escalates meaningfully in multi-tenant agent deployments where agents serve groups with different authorization tiers, as cross-policy media replay could result in unauthorized data access or capability usage across tenant boundaries.

How does the attack unfold?

Trigger Recovery

Attacker or a natural operational event (crash, deployment, deliberate denial-of-service) causes the openclaw service to enter delivery queue recovery mode.

AML.T0029

Context Loss

Delivery queue entries are recovered without the original group tool-policy session context, stripping the authorization metadata required for policy enforcement checks.

AML.T0080

Unauthorized Replay

Queued outbound media replays without group policy enforcement, allowing restricted content, tool invocations, or channel dispatches to execute outside their authorized scope.

AML.T0053

Policy Bypass Impact

Agent actions execute beyond their authorized policy boundary, potentially exposing sensitive data across tenant groups or enabling unauthorized capability use in multi-tenant deployments.

AML.T0107

Trigger Recovery

Attacker or a natural operational event (crash, deployment, deliberate denial-of-service) causes the openclaw service to enter delivery queue recovery mode.

AML.T0029

Context Loss

Delivery queue entries are recovered without the original group tool-policy session context, stripping the authorization metadata required for policy enforcement checks.

AML.T0080

Unauthorized Replay

Queued outbound media replays without group policy enforcement, allowing restricted content, tool invocations, or channel dispatches to execute outside their authorized scope.

AML.T0053

Policy Bypass Impact

Agent actions execute beyond their authorized policy boundary, potentially exposing sensitive data across tenant groups or enabling unauthorized capability use in multi-tenant deployments.

AML.T0107

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	>= 2026.4.10, < 2026.4.14	`2026.4.14`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Upgrade openclaw (npm) to >= 2026.4.14 immediately — the fix persists session context alongside queue entries so recovered media goes through the same policy checks.
If an immediate upgrade is blocked, schedule restarts only during planned maintenance windows and clear the delivery queue manually before restarting to prevent uncontrolled recovery replays.
Audit delivery queue recovery events in logs for the version window 2026.4.10–2026.4.13 to identify any policy-bypass occurrences.
In staging, validate that post-upgrade restart/recovery behavior correctly enforces group tool policy by queuing restricted media before a restart and confirming it is blocked or correctly policy-checked upon replay.
For multi-tenant deployments, cross-reference any outbound media dispatched post-restart against the originating group's policy scope.

How is it classified?

Auth Bypass Agent AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.9.3 - AI system security

NIST AI RMF

GOVERN 1.1 - Policies and procedures for AI risk

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-r77c-2cmr-7p47?

openclaw versions 2026.4.10 through 2026.4.13 fail to persist group tool-policy context in the delivery queue, allowing recovered media to replay after a restart without the authorization checks that govern what an AI agent can do and to whom. While rated low severity with no public exploit or KEV listing, the flaw directly undermines the policy enforcement layer in AI agent deployments — and in the context of openclaw's documented third-party skills ecosystem (see AIID #1368, where ~17% of skills were assessed as malicious), any weakening of policy controls is a compounding risk. This package also carries 135 prior CVEs, warranting elevated supply-chain scrutiny regardless of per-issue severity. Teams running openclaw-based agent infrastructure should upgrade to 2026.4.14 immediately and audit delivery queue recovery events from the affected version window.

Is GHSA-r77c-2cmr-7p47 actively exploited?

No confirmed active exploitation of GHSA-r77c-2cmr-7p47 has been reported, but organizations should still patch proactively.

How to fix GHSA-r77c-2cmr-7p47?

1. Upgrade openclaw (npm) to >= 2026.4.14 immediately — the fix persists session context alongside queue entries so recovered media goes through the same policy checks. 2. If an immediate upgrade is blocked, schedule restarts only during planned maintenance windows and clear the delivery queue manually before restarting to prevent uncontrolled recovery replays. 3. Audit delivery queue recovery events in logs for the version window 2026.4.10–2026.4.13 to identify any policy-bypass occurrences. 4. In staging, validate that post-upgrade restart/recovery behavior correctly enforces group tool policy by queuing restricted media before a restart and confirming it is blocked or correctly policy-checked upon replay. 5. For multi-tenant deployments, cross-reference any outbound media dispatched post-restart against the originating group's policy scope.

What systems are affected by GHSA-r77c-2cmr-7p47?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Multi-tenant agent platforms, Agentic media dispatch pipelines.

What is the CVSS score for GHSA-r77c-2cmr-7p47?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksMulti-tenant agent platformsAgentic media dispatch pipelines

MITRE ATLAS Techniques

AML.T0053 AI Agent Tool Invocation

AML.T0080 AI Agent Context Poisoning

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.9.3

NIST AI RMF: GOVERN 1.1

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

## Summary Delivery queue recovery could lose group tool-policy context for media replay. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.4.10 < 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact Recovered queued outbound media could be replayed without the original session context needed to enforce group tool policy, weakening channel media restrictions after restart/recovery. ## Technical Details The fix persists and replays the relevant session context with delivery queue entries so recovered media dispatch goes through the same policy checks. ## Fix The issue was fixed in #66025. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `48aae82bbc19ba8b0741e61a08063eb0d1df464e` - PR: #66025 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An insider or attacker with the ability to trigger or time a service restart — through a crash, a deployment, or a deliberate denial-of-service — positions outbound media in the openclaw delivery queue before the restart. Upon service recovery, the queued media replays without group tool-policy context. In a multi-tenant agent platform, an agent configured to restrict file-sharing or external API calls for Group A could replay those queued actions under Group B's session scope, exposing Group B's data or invoking tools the originating group was never authorized to use. No exploit tooling is required; knowledge of the vulnerability and control over the restart trigger is sufficient.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.