GHSA-whf9-3hcx-gq54 — MEDIUM AI Security Vulnerability

Q: Is GHSA-whf9-3hcx-gq54 actively exploited?

No confirmed active exploitation of GHSA-whf9-3hcx-gq54 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-whf9-3hcx-gq54?

1. Patch immediately: upgrade openclaw (npm) to 2026.4.8 (commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5). 2. Audit existing tokens: enumerate all device tokens issued by affected versions and verify each token's roles match the roles explicitly approved during pairing; revoke any token with unexpected scopes. 3. Re-pair devices: for any device whose token cannot be audited, revoke and re-pair under the patched version. 4. Least-privilege review: confirm OpenClaw agent roles are scoped to only what is operationally required. 5. Monitor token issuance: log all `device.token.rotate` calls and alert on role additions that differ from the last approved pairing record.

Q: What systems are affected by GHSA-whf9-3hcx-gq54?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI agent deployments, AI agent tool integrations.

Q: What is the CVSS score for GHSA-whf9-3hcx-gq54?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's `device.token.rotate` function incorrectly mints or preserves device tokens carrying roles and scopes that have not undergone the required pairing approval workflow, constituting an authorization bypass (CWE-863). Although OpenClaw is a user-controlled local assistant — not a multi-tenant service — this matters to security teams because unauthorized role elevation in an AI agent can allow it to operate well beyond its approved capability boundary, silently violating the principle of least privilege. No EPSS data is available, the vulnerability is absent from CISA KEV, and no public exploits or scanner templates exist, indicating low immediate exploitation pressure; however, the same OpenClaw ecosystem has a documented history of malicious third-party skills exfiltrating credentials (AIID #1368), making any authorization gap in this stack higher-risk than it would be in isolation. Upgrade to openclaw 2026.4.8 and audit all device tokens issued under versions ≤ 2026.04.01 to confirm their roles match approved pairings.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium risk overall, with an elevated concern in environments where OpenClaw agents are granted access to sensitive systems or credentials. The trust model is explicitly scoped to a single-user local assistant, which limits blast radius compared to a server-side multi-tenant product. However, CWE-863 in an AI agent means an agent could self-escalate capabilities without the user having explicitly approved that role, which undermines the foundational control of agentic permission governance. The absence of a CVSS vector, KEV listing, and public exploit corroborates a moderate rather than critical urgency, but the patch is available and low-cost to apply.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Patch immediately: upgrade openclaw (npm) to 2026.4.8 (commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5).
Audit existing tokens: enumerate all device tokens issued by affected versions and verify each token's roles match the roles explicitly approved during pairing; revoke any token with unexpected scopes.
Re-pair devices: for any device whose token cannot be audited, revoke and re-pair under the patched version.
Least-privilege review: confirm OpenClaw agent roles are scoped to only what is operationally required.
Monitor token issuance: log all `device.token.rotate` calls and alert on role additions that differ from the last approved pairing record.

Classification

Auth Bypass Agent AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0091.000 - Application Access Token AML.T0112.000 - Local AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - AI system access control

NIST AI RMF

GOVERN 1.2 - Accountability and role definition

OWASP LLM Top 10

LLM08 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents malicious OpenClaw skills exfiltrating credentials via ClawHub — the same package and ecosystem. A token rotation auth bypass that grants elevated scopes directly lowers the bar for malicious skills to access sensitive agent capabilities, enabling the same credential exfiltration failure mode documented in that incident.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-whf9-3hcx-gq54?

OpenClaw's `device.token.rotate` function incorrectly mints or preserves device tokens carrying roles and scopes that have not undergone the required pairing approval workflow, constituting an authorization bypass (CWE-863). Although OpenClaw is a user-controlled local assistant — not a multi-tenant service — this matters to security teams because unauthorized role elevation in an AI agent can allow it to operate well beyond its approved capability boundary, silently violating the principle of least privilege. No EPSS data is available, the vulnerability is absent from CISA KEV, and no public exploits or scanner templates exist, indicating low immediate exploitation pressure; however, the same OpenClaw ecosystem has a documented history of malicious third-party skills exfiltrating credentials (AIID #1368), making any authorization gap in this stack higher-risk than it would be in isolation. Upgrade to openclaw 2026.4.8 and audit all device tokens issued under versions ≤ 2026.04.01 to confirm their roles match approved pairings.

Is GHSA-whf9-3hcx-gq54 actively exploited?

No confirmed active exploitation of GHSA-whf9-3hcx-gq54 has been reported, but organizations should still patch proactively.

How to fix GHSA-whf9-3hcx-gq54?

1. Patch immediately: upgrade openclaw (npm) to 2026.4.8 (commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5). 2. Audit existing tokens: enumerate all device tokens issued by affected versions and verify each token's roles match the roles explicitly approved during pairing; revoke any token with unexpected scopes. 3. Re-pair devices: for any device whose token cannot be audited, revoke and re-pair under the patched version. 4. Least-privilege review: confirm OpenClaw agent roles are scoped to only what is operationally required. 5. Monitor token issuance: log all `device.token.rotate` calls and alert on role additions that differ from the last approved pairing record.

What systems are affected by GHSA-whf9-3hcx-gq54?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI agent deployments, AI agent tool integrations.

What is the CVSS score for GHSA-whf9-3hcx-gq54?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing. Device token rotation could mint or preserve roles/scopes that had not gone through the intended pairing approval. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= v2026.04.01` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @nicky-cc of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting.

Exploitation Scenario

A threat actor who has achieved foothold on a user's machine — or a malicious OpenClaw skill (analogous to the AMOS stealer scenario in AIID #1368) — invokes `device.token.rotate` on a device that was originally paired with a low-privilege role. Under the vulnerable code path, the rotation produces a token that includes higher-privileged scopes (e.g., filesystem write or credential-store access) that the user never explicitly approved. The actor then uses the inflated token to instruct the OpenClaw agent to exfiltrate local secrets, execute code, or pivot to other tools the agent has access to — all while appearing to operate within a legitimately issued device token.