AI Threat Alert
GHSA-v8qf-fr4g-28p2: OpenClaw: auth scope bypass exposes assistant-media files
GHSA-v8qf-fr4g-28p2 LOWOpenClaw's Control UI assistant-media route fails to enforce operator.read scope on identity-bearing HTTP auth paths, meaning any authenticated trusted-proxy caller—regardless of their granted scopes—can read assistant-media files and metadata outside their authorization boundary. While exploitation still requires valid gateway authentication (substantially limiting opportunistic abuse), the 135 CVEs already catalogued against this package signal a systemic pattern of authorization control weaknesses that compound risk in environments handling sensitive agent-generated content. With no public exploit, no KEV listing, and only 4 downstream npm dependents, emergency patching is not required—but teams running OpenClaw should upgrade to 2026.4.20 and audit all trusted-proxy scope assignments to confirm least privilege is enforced across agent media routes.
What is the risk?
Low risk in isolation. Exploitation requires an attacker to already possess valid trusted-proxy credentials with successful gateway authentication, effectively limiting the threat surface to insider actors or compromised internal service accounts. No CVSS vector, no public PoC, no Nuclei template, and absence from CISA KEV further depresses exploitability. However, openclaw's 135-CVE history indicates recurring authorization weaknesses; organizations running it in multi-tenant or enterprise contexts handling sensitive AI-generated media should treat this as part of a broader control gap rather than a single low-severity finding.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | < 2026.4.20 | 2026.4.20 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Upgrade openclaw (npm) to version 2026.4.20 immediately—this is the only complete fix.
-
Audit all trusted-proxy caller configurations and enumerate which callers lack operator.read scope; revoke or re-scope as needed.
-
If patching is delayed, restrict the assistant-media route at the network or gateway layer to callers that explicitly hold operator.read.
-
Review assistant-media access logs for trusted-proxy requests that lacked operator.read, looking back to the deployment of vulnerable versions.
-
Enable scope-level logging on identity-bearing HTTP auth paths to surface future authorization anomalies early.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-v8qf-fr4g-28p2?
OpenClaw's Control UI assistant-media route fails to enforce operator.read scope on identity-bearing HTTP auth paths, meaning any authenticated trusted-proxy caller—regardless of their granted scopes—can read assistant-media files and metadata outside their authorization boundary. While exploitation still requires valid gateway authentication (substantially limiting opportunistic abuse), the 135 CVEs already catalogued against this package signal a systemic pattern of authorization control weaknesses that compound risk in environments handling sensitive agent-generated content. With no public exploit, no KEV listing, and only 4 downstream npm dependents, emergency patching is not required—but teams running OpenClaw should upgrade to 2026.4.20 and audit all trusted-proxy scope assignments to confirm least privilege is enforced across agent media routes.
Is GHSA-v8qf-fr4g-28p2 actively exploited?
No confirmed active exploitation of GHSA-v8qf-fr4g-28p2 has been reported, but organizations should still patch proactively.
How to fix GHSA-v8qf-fr4g-28p2?
1. Upgrade openclaw (npm) to version 2026.4.20 immediately—this is the only complete fix. 2. Audit all trusted-proxy caller configurations and enumerate which callers lack operator.read scope; revoke or re-scope as needed. 3. If patching is delayed, restrict the assistant-media route at the network or gateway layer to callers that explicitly hold operator.read. 4. Review assistant-media access logs for trusted-proxy requests that lacked operator.read, looking back to the deployment of vulnerable versions. 5. Enable scope-level logging on identity-bearing HTTP auth paths to surface future authorization anomalies early.
What systems are affected by GHSA-v8qf-fr4g-28p2?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, API gateways, multi-modal AI pipelines.
What is the CVSS score for GHSA-v8qf-fr4g-28p2?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application AML.T0085 Data from AI Services AML.T0091.000 Application Access Token Compliance Controls Affected
What are the technical details?
Original Advisory
## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact The Control UI assistant-media route authenticated trusted-proxy callers but did not enforce the declared operator scopes for identity-bearing HTTP auth paths. A trusted-proxy caller without `operator.read` could access assistant-media files and metadata that were otherwise inside allowed media roots. The route still required successful gateway authentication and media-root checks. Severity is low. ## Fix Assistant-media file and metadata requests now require `operator.read` on identity-bearing HTTP auth paths. Fix commit: - `99ef3a63c58440d53f8e45ad861b846032fcb036` ## Release Fixed in OpenClaw `2026.4.20`.
Exploitation Scenario
An attacker with access to an internal service account configured as a trusted-proxy caller—either through credential compromise or a developer account with gateway access but no operator.read scope—sends authenticated HTTP requests to the OpenClaw Control UI's assistant-media route. Because the route performs gateway authentication but skips operator.read scope validation, it returns file listings and metadata for assistant-generated media beyond the caller's intended boundary. The attacker enumerates session or media identifiers from returned metadata, then iteratively retrieves documents, audio files, or images from privileged operator sessions—exfiltrating sensitive AI-generated content without triggering any scope-enforcement alert.
Weaknesses (CWE)
CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
- [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
- [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-32038 9.8 Analysis pending
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw