AI Threat Alert AI Threat Alert

GHSA-wwfp-w96m-c6x8: OpenClaw: pairing DoS blocks account onboarding

GHSA-wwfp-w96m-c6x8 MEDIUM
Published April 7, 2026
CISO Take

OpenClaw versions 2026.2.26 through 2026.3.30 contain a logic flaw where pending pairing-request quotas are enforced globally per channel file rather than per account, allowing any tenant in a shared multi-account setup to exhaust the pending window and block other accounts from completing new pairings or agent onboarding. The vulnerability is strictly availability-scoped — no data access, credential exposure, or authorization bypass is possible — and requires the adversary to already share the same channel configuration, meaningfully constraining blast radius. There is no EPSS score, no CISA KEV entry, and no known public exploit, placing active exploitation risk as low; however, organizations running automated AI agent provisioning pipelines where pairing is programmatic face elevated operational risk from even incidental triggering. Remediate by upgrading to openclaw 2026.3.31 or the currently published 2026.4.1 on npm; no documented workaround exists short of controlling pairing-request initiation at the account level.

Sources: GitHub Advisory ATLAS

Risk Assessment

Low-to-medium risk overall. Impact is strictly limited to availability of the pairing and onboarding flow — existing agent sessions, data, and credentials are unaffected. Exploitation requires an actor already present on the shared channel, limiting attack surface to multi-account deployments. No CVSS vector, EPSS data, or active exploitation signals are available. Risk is highest in automated agent provisioning pipelines where a blocked pairing causes cascading CI/CD or incident-response failures.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw npm >= 2026.2.26, < 2026.3.31 2026.3.31

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Recommended Action

  1. Upgrade openclaw to >= 2026.3.31 or the latest 2026.4.1 on npm immediately — the fix scopes pending request caps per account.
  2. Audit current pending pairing requests per channel and manually expire or reject stale entries.
  3. As a compensating control, restrict pairing-request initiation to explicitly trusted accounts on multi-account channel setups.
  4. Instrument channel logs to alert on spikes in pending pairing requests as an indicator of attempted abuse.
  5. For CI/CD pipelines that auto-provision agents via pairing, add retry logic with alerting to surface pairing failures promptly.

Classification

DoS Agent AML.T0029 AML.T0034.000

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
A.6.2 - AI system risk assessment
NIST AI RMF
MANAGE 2.4 - Residual risks are documented and efforts are initiated to address them
OWASP LLM Top 10
LLM10:2025 - Unbounded Consumption

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub
Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents active adversarial targeting of OpenClaw infrastructure via its ClawHub skills ecosystem, establishing that threat actors operate within this platform. A pairing DoS could be used to prevent defenders from onboarding clean agent instances or revoking compromised ones during an active incident response scenario.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

## Summary Before OpenClaw 2026.3.31, pending pairing-request caps were enforced per channel file instead of per account. On multi-account channel setups, requests from other accounts could fill the shared pending window and block new pairing challenges on an unaffected account. ## Impact This issue could deny new pairing or onboarding on another account until an existing request was approved or expired. It was an availability-only bug; it did not allow cross-account approval, data access, or authorization bypass. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `>= 2026.2.26, < 2026.3.31` - Patched versions: `>= 2026.3.31` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `9bc1f896c8cd325dd4761681e9bdb8c425f69785` — scope pending request caps per account ## Release Process Note The fix shipped in OpenClaw `2026.3.31` on March 31, 2026. The current published npm release `2026.4.1` from April 1, 2026 also contains the fix. Thanks @smaeljaish771 for reporting.

Exploitation Scenario

An adversary or rogue co-tenant on a shared multi-account OpenClaw channel deliberately initiates the maximum permitted pending pairing requests from their account. Because the cap is tracked globally against the channel file, the pending window fills completely. Legitimate accounts attempting to onboard new agents — during automated CI/CD provisioning, horizontal scaling, or disaster-recovery re-pairing — receive rejection errors and cannot initialize. In environments with tight uptime SLAs for AI agent availability, this could trigger production incidents or delay security response workflows where rapid agent re-deployment is required.

References

Timeline

Published
April 7, 2026
Last Modified
April 7, 2026
First Seen
April 7, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
Back to Threat Feed