GHSA-w6wx-jq6j-6mcj: openclaw: script swap bypasses pnpm dlx approval

Published April 7, 2026

CISO Take

OpenClaw's approval workflow contains a TOCTOU (Time-of-Check-Time-of-Use) flaw where a local script approved via `pnpm dlx` can be silently replaced with malicious content before execution — the approval plan remains valid regardless of the substitution. The practical blast radius is constrained to environments where multiple operators or automated pipelines share filesystem access with OpenClaw, making insider threat and compromised CI/CD scenarios the primary concern; no public exploit exists and the vulnerability is not in CISA KEV. However, OpenClaw carries 37 known CVEs, a pattern suggesting systemic security debt that should factor into your supply chain risk calculus for AI agent tooling. Upgrade to openclaw >= 2026.4.2 immediately; if patching is blocked, restrict write access to script directories used by OpenClaw operators and add file-integrity monitoring between approval and execution events.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium risk overall but elevated in multi-tenant AI agent environments. Exploitation requires operator-level local access, limiting internet-exposed attack surface. The TOCTOU window is narrow but deterministic for a local attacker with write access to the script path. The authorization bypass is particularly dangerous in AI agent pipelines where script execution carries elevated privileges (tool access, API keys, filesystem reads). The package's 37-CVE history signals a pattern of security debt that warrants heightened scrutiny beyond this individual finding.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	<= 2026.4.1	`2026.4.2`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Patch: Upgrade openclaw to >= 2026.4.2 immediately. The fix commit (176c059b) binds local script operands in pnpm dlx approval plans to prevent substitution.
If patching is blocked: restrict filesystem write permissions on directories containing OpenClaw-approved scripts to only the approving operator identity.
Detection: Add file-integrity monitoring (hash verification) on approved script paths between approval event and execution event. Alert on any modification delta.
Audit: Review existing approval plans for evidence of unexpected file modification timestamps between approval and execution in audit logs.
Supply chain hygiene: Given 37 CVEs in this package, evaluate whether OpenClaw is the appropriate dependency for security-sensitive agent pipelines.

Classification

Auth Bypass Code Execution Supply Chain Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0011 - User Execution AML.T0053 - AI Agent Tool Invocation AML.T0110 - AI Agent Tool Poisoning

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

6.1.2 - AI risk assessment

NIST AI RMF

GOVERN 1.2 - Accountability and oversight of AI operations

OWASP LLM Top 10

LLM06 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 describes malicious OpenClaw skills delivering credential-stealing malware via the ClawHub ecosystem. This CVE's approval bypass enables a similar outcome via a different vector — rather than publishing a poisoned skill, an attacker exploits the local execution path to substitute malicious code after approval, potentially achieving the same credential exfiltration outcome without requiring a public skill submission.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

## Summary Before OpenClaw 2026.4.2, `pnpm dlx` approval planning did not bind local script operands the same way as related `pnpm exec` flows. A local script approved through a `pnpm dlx` path could be replaced before execution without invalidating the approval. ## Impact An operator could approve a benign local script and then execute modified script contents through the still-valid approval plan. This was an approval-integrity bug in the node-host command-planning path. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `176c059b05357df1bc09d4328a2380670859eeff` — bind local scripts in `pnpm dlx` approval plans ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @Kazamayc for reporting.

Exploitation Scenario

A malicious insider with operator access to an AI agent deployment submits a harmless shell script (e.g., a data validation routine) for approval via the `pnpm dlx` workflow. After receiving approval, and before the scheduled execution window, the attacker overwrites the script file with a payload that exfiltrates API keys from the agent's environment variables, establishes a reverse shell, or reads sensitive AI artifacts from the pipeline filesystem. When the agent executes the still-approved plan, it runs the malicious payload rather than the reviewed script — with no validation failure, no alert, and full agent-level permissions. In a CI/CD context, an attacker who compromises a developer workstation could exploit this window to inject malicious code into an approved deployment pipeline without triggering re-review.