GHSA-vr5g-mmx7-h897 — MEDIUM AI Security Vulnerability

Q: Is GHSA-vr5g-mmx7-h897 actively exploited?

No confirmed active exploitation of GHSA-vr5g-mmx7-h897 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-vr5g-mmx7-h897?

1. Patch immediately: upgrade openclaw to version 2026.4.8 (npm). The fix is available at commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. 2. Until patched, restrict the network context in which OpenClaw runs — use egress firewall rules to block access to RFC 1918 ranges, loopback, and link-local addresses (169.254.0.0/16) from the host running OpenClaw. 3. Audit logs for anomalous internal HTTP requests originating from the OpenClaw process. 4. Review whether OpenClaw requires browser capabilities at all for your use case — disabling the browser tool eliminates the attack surface. 5. Given the 60-CVE package history, evaluate whether OpenClaw aligns with your vendor security requirements.

Q: What systems are affected by GHSA-vr5g-mmx7-h897?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI-assisted browsing pipelines, local AI assistants with network access.

Q: What is the CVSS score for GHSA-vr5g-mmx7-h897?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's browser component contains a security policy bypass that allows user-triggered browser interactions to initiate navigations without undergoing the tool's normal SSRF validation checks, potentially enabling unauthorized requests to internal network resources. While the advisory scopes this to the local user-controlled trust model, enterprise AI deployments are rarely isolated — an AI assistant browsing a malicious page could silently probe internal services, metadata endpoints, or cloud provider APIs that are otherwise unreachable from the public internet. The package carries a substantial vulnerability history with 60 prior CVEs, and the same ecosystem was recently linked to credential theft via malicious third-party skills (AIID #1368), indicating sustained adversarial interest in the OpenClaw platform. No EPSS data is available and the vulnerability is not in CISA KEV, but given the active targeting pattern, organizations running OpenClaw should patch to version 2026.4.8 immediately — the fix was verified against regression tests specifically targeting this security boundary.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium severity by CVSS, but contextually elevated for AI agent deployments. SSRF in a local AI assistant's browser tool creates a lateral movement vector from the user's workstation to internal network segments. The absence of a CVSS vector suggests limited remote exploitability, but interaction-triggered bypass lowers the bar — any webpage the agent visits becomes a potential pivot point. The 60-CVE history of the package signals systemic security debt, not an isolated defect.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Patch immediately: upgrade openclaw to version 2026.4.8 (npm). The fix is available at commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
Until patched, restrict the network context in which OpenClaw runs — use egress firewall rules to block access to RFC 1918 ranges, loopback, and link-local addresses (169.254.0.0/16) from the host running OpenClaw.
Audit logs for anomalous internal HTTP requests originating from the OpenClaw process.
Review whether OpenClaw requires browser capabilities at all for your use case — disabling the browser tool eliminates the attack surface.
Given the 60-CVE package history, evaluate whether OpenClaw aligns with your vendor security requirements.

Classification

Auth Bypass Data Extraction Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0078 - Drive-by Compromise AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0100 - AI Agent Clickbait AML.T0112.000 - Local AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Art.9 - Risk management system

ISO 42001

8.3 - AI system operation and monitoring A.6.2 - AI system information security controls

NIST AI RMF

GOVERN 6.2 - Policies and procedures are in place to address AI risks MANAGE 4.1 - Post-deployment AI risk monitoring and response

OWASP LLM Top 10

LLM06 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

The incident involved malicious skills in the OpenClaw ecosystem exfiltrating credentials via the same platform affected by this CVE. While the attack vector differs (malicious third-party skills vs. SSRF bypass), the same adversarial targeting of OpenClaw's trust boundaries and the same credential exfiltration outcome make this a closely related failure mode.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-vr5g-mmx7-h897?

OpenClaw's browser component contains a security policy bypass that allows user-triggered browser interactions to initiate navigations without undergoing the tool's normal SSRF validation checks, potentially enabling unauthorized requests to internal network resources. While the advisory scopes this to the local user-controlled trust model, enterprise AI deployments are rarely isolated — an AI assistant browsing a malicious page could silently probe internal services, metadata endpoints, or cloud provider APIs that are otherwise unreachable from the public internet. The package carries a substantial vulnerability history with 60 prior CVEs, and the same ecosystem was recently linked to credential theft via malicious third-party skills (AIID #1368), indicating sustained adversarial interest in the OpenClaw platform. No EPSS data is available and the vulnerability is not in CISA KEV, but given the active targeting pattern, organizations running OpenClaw should patch to version 2026.4.8 immediately — the fix was verified against regression tests specifically targeting this security boundary.

Is GHSA-vr5g-mmx7-h897 actively exploited?

No confirmed active exploitation of GHSA-vr5g-mmx7-h897 has been reported, but organizations should still patch proactively.

How to fix GHSA-vr5g-mmx7-h897?

1. Patch immediately: upgrade openclaw to version 2026.4.8 (npm). The fix is available at commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. 2. Until patched, restrict the network context in which OpenClaw runs — use egress firewall rules to block access to RFC 1918 ranges, loopback, and link-local addresses (169.254.0.0/16) from the host running OpenClaw. 3. Audit logs for anomalous internal HTTP requests originating from the OpenClaw process. 4. Review whether OpenClaw requires browser capabilities at all for your use case — disabling the browser tool eliminates the attack surface. 5. Given the 60-CVE package history, evaluate whether OpenClaw aligns with your vendor security requirements.

What systems are affected by GHSA-vr5g-mmx7-h897?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI-assisted browsing pipelines, local AI assistants with network access.

What is the CVSS score for GHSA-vr5g-mmx7-h897?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact Browser SSRF Policy Bypass via Interaction-Triggered Navigation. Browser interactions could trigger navigations that bypassed the normal SSRF navigation checks. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.5` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @ccreater222 and @KeenSecurityLab for reporting.

Exploitation Scenario

An adversary hosts a malicious webpage containing JavaScript or crafted HTML that triggers a browser navigation event (e.g., a redirect, form submission, or link click) when the AI agent visits or interacts with the page. This interaction bypasses OpenClaw's SSRF policy checks, causing the browser to issue a request to an internal resource — such as the AWS metadata endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/) or an internal Kubernetes API server. The response is returned to the browser context, where it may be processed by the AI agent or logged, leaking credentials or internal network topology to the adversary. In more sophisticated variants, the adversary chains this with a prompt injection in the page content to instruct the agent to exfiltrate the response to an external endpoint.