GHSA-w8g9-x8gx-crmm — MEDIUM AI Security Vulnerability

Q: Is GHSA-w8g9-x8gx-crmm actively exploited?

No confirmed active exploitation of GHSA-w8g9-x8gx-crmm has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-w8g9-x8gx-crmm?

1. Patch: Upgrade openclaw to ≥2026.4.8 immediately — the fix is confirmed against commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5 with regression tests for the affected boundary. 2. Network control: Enforce egress filtering on the host running OpenClaw; deny outbound requests to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local (169.254.0.0/16). 3. Detection: Monitor Playwright/Chromium process network connections for requests to private IP ranges — these should never appear in a normal local assistant workflow. 4. Audit: Review OpenClaw skill integrations for third-party or unverified sources given the documented malicious skills ecosystem (AIID #1368). 5. Workaround if patching is delayed: disable web browsing capabilities in OpenClaw configuration entirely.

Q: What systems are affected by GHSA-w8g9-x8gx-crmm?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI assistants, browser-augmented AI agents.

Q: What is the CVSS score for GHSA-w8g9-x8gx-crmm?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's browser automation layer (Playwright) fails to validate redirect destinations during request-time navigation, allowing private network targets — cloud metadata endpoints, internal APIs, corporate intranet services — to be reached despite strict SSRF controls being ostensibly in place. While scoped to a local assistant trust model and rated medium severity with no EPSS data or KEV listing, the 60 prior CVEs in this package and the documented AIID #1368 incident (malicious OpenClaw skills delivering credential stealers via ClawHub) establish a pattern of adversarial interest in this ecosystem. Organizations running OpenClaw in environments where the agent has LAN or cloud provider metadata access should treat this as higher risk than the base severity suggests. Upgrade immediately to version 2026.4.8, and in the interim restrict outbound Playwright traffic to an allowlist of approved domains via network policy or firewall rules.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium as rated, but contextually elevated for AI agent deployments. SSRF in browser-automation-enabled AI agents is particularly dangerous because the agent may be trusted to browse arbitrary URLs as part of its normal workflow, making malicious redirect payloads harder to distinguish from legitimate navigation. No public exploit, no active exploitation evidence, and the trust boundary is explicitly local-assistant — however, cloud-hosted or enterprise deployments that deviate from the documented trust model face meaningful lateral movement risk if SSRF reaches IMDS (169.254.169.254) or internal service meshes.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Patch: Upgrade openclaw to ≥2026.4.8 immediately — the fix is confirmed against commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5 with regression tests for the affected boundary.
Network control: Enforce egress filtering on the host running OpenClaw; deny outbound requests to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local (169.254.0.0/16).
Detection: Monitor Playwright/Chromium process network connections for requests to private IP ranges — these should never appear in a normal local assistant workflow.
Audit: Review OpenClaw skill integrations for third-party or unverified sources given the documented malicious skills ecosystem (AIID #1368).
Workaround if patching is delayed: disable web browsing capabilities in OpenClaw configuration entirely.

Classification

Supply Chain Auth Bypass Data Extraction Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0011.002 - Poisoned AI Agent Tool AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0112.000 - Local AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system operation A.9.3 - Security of AI system inputs

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems MAP 5.1 - Likelihood and magnitude of each identified impact are estimated

OWASP LLM Top 10

LLM06 - Excessive Agency LLM07 - System Prompt Leakage LLM08 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents adversarial exploitation of OpenClaw's third-party skills ecosystem to deliver credential stealers, establishing that threat actors actively target OpenClaw's agent tool surface. The SSRF bypass in this CVE represents an adjacent attack vector — rather than a malicious skill, an attacker exploits the browser automation tool to harvest credentials from IMDS or internal APIs, sharing the same credential exfiltration objective through a different technical path.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-w8g9-x8gx-crmm?

OpenClaw's browser automation layer (Playwright) fails to validate redirect destinations during request-time navigation, allowing private network targets — cloud metadata endpoints, internal APIs, corporate intranet services — to be reached despite strict SSRF controls being ostensibly in place. While scoped to a local assistant trust model and rated medium severity with no EPSS data or KEV listing, the 60 prior CVEs in this package and the documented AIID #1368 incident (malicious OpenClaw skills delivering credential stealers via ClawHub) establish a pattern of adversarial interest in this ecosystem. Organizations running OpenClaw in environments where the agent has LAN or cloud provider metadata access should treat this as higher risk than the base severity suggests. Upgrade immediately to version 2026.4.8, and in the interim restrict outbound Playwright traffic to an allowlist of approved domains via network policy or firewall rules.

Is GHSA-w8g9-x8gx-crmm actively exploited?

No confirmed active exploitation of GHSA-w8g9-x8gx-crmm has been reported, but organizations should still patch proactively.

How to fix GHSA-w8g9-x8gx-crmm?

1. Patch: Upgrade openclaw to ≥2026.4.8 immediately — the fix is confirmed against commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5 with regression tests for the affected boundary. 2. Network control: Enforce egress filtering on the host running OpenClaw; deny outbound requests to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local (169.254.0.0/16). 3. Detection: Monitor Playwright/Chromium process network connections for requests to private IP ranges — these should never appear in a normal local assistant workflow. 4. Audit: Review OpenClaw skill integrations for third-party or unverified sources given the documented malicious skills ecosystem (AIID #1368). 5. Workaround if patching is delayed: disable web browsing capabilities in OpenClaw configuration entirely.

What systems are affected by GHSA-w8g9-x8gx-crmm?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI assistants, browser-augmented AI agents.

What is the CVSS score for GHSA-w8g9-x8gx-crmm?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable. Strict browser SSRF checks could miss Playwright request-time navigation to private targets. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `2026.3.8` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @smaeljaish771 for reporting.

Exploitation Scenario

An adversary embeds a redirect chain in a webpage or document that OpenClaw's Playwright instance is directed to browse. The initial URL passes SSRF validation (it resolves to a public host), but the server responds with an HTTP 301/302 redirect to an internal target such as http://169.254.169.254/latest/meta-data/ (AWS IMDS) or an internal API gateway. Because Playwright follows the redirect at request time and the SSRF check only validates the original URL, the agent fetches the internal resource and potentially returns its contents — IAM credentials, internal service tokens, or network topology data — back to the session context. In a prompt-injection-assisted variant, malicious content in a document instructs the agent to visit a crafted URL, completing a multi-stage attack requiring no direct access to the victim's machine.