GHSA-vc32-h5mq-453v — MEDIUM AI Security Vulnerability

Q: Is GHSA-vc32-h5mq-453v actively exploited?

No confirmed active exploitation of GHSA-vc32-h5mq-453v has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-vc32-h5mq-453v?

1. Upgrade openclaw to v2026.4.8 immediately — the patched version enforces owner-only authorization on all allowlist writes and includes targeted regression tests for the affected security boundary. 2. Audit existing allowlist configurations across all channels for unauthorized entries, prioritizing high-privilege or administrative channels. 3. Until patched, restrict authorized senders to the minimum required set and monitor /allowlist API calls for cross-channel write patterns. 4. Given AIID #1368, conduct a full inventory of installed OpenClaw skills and remove any unverified or third-party skills from untrusted sources.

Q: What systems are affected by GHSA-vc32-h5mq-453v?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI assistants, multi-channel AI agent deployments.

Q: What is the CVSS score for GHSA-vc32-h5mq-453v?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's /allowlist endpoint fails to enforce owner-only access control, allowing any authorized non-owner sender to write allowlist entries to channels they don't own — effectively collapsing channel-level security boundaries within the local AI assistant. While no CISA KEV entry or public exploit exists and exploitation requires prior authorized access, this class of broken function-level authorization becomes significantly more dangerous given OpenClaw's known-troubled supply chain: the package carries 60+ prior CVEs and is directly linked to AIID #1368, where malicious skills delivered AMOS credential-stealing malware to users. A threat actor already embedded via a malicious skill could exploit this flaw to expand allowlist access across privileged channels without owner credentials. Upgrade to openclaw v2026.4.8 immediately and audit all existing allowlist configurations for unauthorized entries.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium risk overall, but contextually elevated for organizations relying on OpenClaw's channel isolation model as a meaningful security boundary. Exploitation requires existing authorized non-owner access, which limits blast radius in single-user local deployments. However, in multi-user or skill-augmented configurations, this authorization flaw becomes a viable privilege escalation stepping stone — particularly given the package's history of 60+ CVEs and documented exploitation of its skills ecosystem for credential theft. No public exploit or scanner template exists, keeping near-term exploitation likelihood low absent a targeted attacker.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Upgrade openclaw to v2026.4.8 immediately — the patched version enforces owner-only authorization on all allowlist writes and includes targeted regression tests for the affected security boundary.
Audit existing allowlist configurations across all channels for unauthorized entries, prioritizing high-privilege or administrative channels.
Until patched, restrict authorized senders to the minimum required set and monitor /allowlist API calls for cross-channel write patterns.
Given AIID #1368, conduct a full inventory of installed OpenClaw skills and remove any unverified or third-party skills from untrusted sources.

Classification

Auth Bypass Agent AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.1 - Actions to address AI risks and opportunities

NIST AI RMF

GOVERN 1.7 - Processes and procedures are in place for the AI lifecycle

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents exploitation of OpenClaw's skills ecosystem to deliver AMOS credential-stealing malware. This allowlist bypass could serve as a privilege escalation mechanism amplifying that attack vector — a malicious skill with authorized non-owner access could exploit this flaw to expand reach across higher-privilege channels, enabling the same credential exfiltration pattern documented in the incident.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-vc32-h5mq-453v?

OpenClaw's /allowlist endpoint fails to enforce owner-only access control, allowing any authorized non-owner sender to write allowlist entries to channels they don't own — effectively collapsing channel-level security boundaries within the local AI assistant. While no CISA KEV entry or public exploit exists and exploitation requires prior authorized access, this class of broken function-level authorization becomes significantly more dangerous given OpenClaw's known-troubled supply chain: the package carries 60+ prior CVEs and is directly linked to AIID #1368, where malicious skills delivered AMOS credential-stealing malware to users. A threat actor already embedded via a malicious skill could exploit this flaw to expand allowlist access across privileged channels without owner credentials. Upgrade to openclaw v2026.4.8 immediately and audit all existing allowlist configurations for unauthorized entries.

Is GHSA-vc32-h5mq-453v actively exploited?

No confirmed active exploitation of GHSA-vc32-h5mq-453v has been reported, but organizations should still patch proactively.

How to fix GHSA-vc32-h5mq-453v?

1. Upgrade openclaw to v2026.4.8 immediately — the patched version enforces owner-only authorization on all allowlist writes and includes targeted regression tests for the affected security boundary. 2. Audit existing allowlist configurations across all channels for unauthorized entries, prioritizing high-privilege or administrative channels. 3. Until patched, restrict authorized senders to the minimum required set and monitor /allowlist API calls for cross-channel write patterns. 4. Given AIID #1368, conduct a full inventory of installed OpenClaw skills and remove any unverified or third-party skills from untrusted sources.

What systems are affected by GHSA-vc32-h5mq-453v?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI assistants, multi-channel AI agent deployments.

What is the CVSS score for GHSA-vc32-h5mq-453v?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact /allowlist omits owner-only enforcement for cross-channel allowlist writes. An authorized non-owner sender could attempt allowlist writes against a different channel. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=v2026.4.1` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @zsxsoft and @KeenSecurityLab for reporting.

Exploitation Scenario

An attacker installs or compromises a malicious OpenClaw skill that operates as an authorized non-owner sender on a victim's low-privilege channel. Using the unpatched /allowlist endpoint, the skill sends crafted write requests targeting a high-privilege administrative channel's allowlist, injecting an attacker-controlled identity. With allowlist access to the administrative channel established without owner credentials, the attacker can invoke agent tools, exfiltrate data, or persist across sessions — escalating from a limited skill context to broader agent access across the entire multi-channel deployment.