GHSA-xrq9-jm7v-g9h7: OpenClaw auth bypass enables

Q: Is GHSA-xrq9-jm7v-g9h7 actively exploited?

No confirmed active exploitation of GHSA-xrq9-jm7v-g9h7 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-xrq9-jm7v-g9h7?

1. Upgrade openclaw (npm) to version 2026.4.20 or later—this is the only fix; no workaround fully closes the gap. 2. Audit current gateway configurations to identify multi-device or multi-tenant deployments where device-level session isolation was assumed. 3. Review pairing audit logs for anomalous cross-device approval activity prior to patching. 4. As a temporary measure, restrict all pairing management operations to admin-privileged sessions only until the patch is deployed. 5. Monitor for unexpected device pairing approvals within shared gateways post-remediation.

Q: What systems are affected by GHSA-xrq9-jm7v-g9h7?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-device AI agent deployments, gateway-based agent orchestration.

Q: What is the CVSS score for GHSA-xrq9-jm7v-g9h7?

No CVSS score has been assigned yet.

CISO Take

OpenClaw (npm) contains a same-gateway authorization flaw where a limited-scope paired device can enumerate global pairing state and act on pending pairing requests belonging to other devices within the same gateway. While the bug requires an attacker to already hold a valid paired device session—ruling out unauthenticated exploitation—it enables lateral movement across device boundaries in shared-gateway deployments, effectively multiplying the blast radius of any compromised low-privilege agent. With only 4 tracked downstream dependents, no public exploit code, no EPSS data, and no CISA KEV listing, overall risk is low; however, organizations running OpenClaw in multi-tenant or shared-gateway configurations should upgrade to 2026.4.20 immediately.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

LOW severity. Requires a pre-existing authenticated paired device session within the same gateway scope—no remote unauthenticated exploitation path exists. Limited ecosystem footprint (4 downstream dependents) constrains blast radius. No public PoC, no active exploitation evidence, not in CISA KEV. Risk escalates for deployments where multiple tenants or competing principals share a single OpenClaw gateway, as session isolation between device scopes was incorrectly assumed.

How does the attack unfold?

Initial Access

Attacker obtains a valid but limited-scope paired device session on the target OpenClaw gateway by compromising a low-privilege peripheral agent or device.

AML.T0012

Discovery

Using the limited paired session, the attacker queries global pairing state to enumerate pending pairing requests from higher-privileged devices within the same gateway scope.

AML.T0084

Privilege Escalation

The attacker acts on a pending pairing request belonging to a higher-privileged device, approving it to gain unauthorized control over that device's session within the gateway.

AML.T0081

Impact

With an unauthorized paired session established for the victim device, the attacker invokes that device's capabilities and tools within the OpenClaw agent framework beyond their original authorization scope.

AML.T0053

Initial Access

Attacker obtains a valid but limited-scope paired device session on the target OpenClaw gateway by compromising a low-privilege peripheral agent or device.

AML.T0012

Discovery

Using the limited paired session, the attacker queries global pairing state to enumerate pending pairing requests from higher-privileged devices within the same gateway scope.

AML.T0084

Privilege Escalation

The attacker acts on a pending pairing request belonging to a higher-privileged device, approving it to gain unauthorized control over that device's session within the gateway.

AML.T0081

Impact

With an unauthorized paired session established for the victim device, the attacker invokes that device's capabilities and tools within the OpenClaw agent framework beyond their original authorization scope.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.20	`2026.4.20`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Upgrade openclaw (npm) to version 2026.4.20 or later—this is the only fix; no workaround fully closes the gap.
Audit current gateway configurations to identify multi-device or multi-tenant deployments where device-level session isolation was assumed.
Review pairing audit logs for anomalous cross-device approval activity prior to patching.
As a temporary measure, restrict all pairing management operations to admin-privileged sessions only until the patch is deployed.
Monitor for unexpected device pairing approvals within shared gateways post-remediation.

How is it classified?

Auth Bypass Agent AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.1 - Organizational roles, responsibilities and authorities

NIST AI RMF

GOVERN 6.2 - Policies and procedures are in place to address AI risks and legal requirements

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-xrq9-jm7v-g9h7?

OpenClaw (npm) contains a same-gateway authorization flaw where a limited-scope paired device can enumerate global pairing state and act on pending pairing requests belonging to other devices within the same gateway. While the bug requires an attacker to already hold a valid paired device session—ruling out unauthenticated exploitation—it enables lateral movement across device boundaries in shared-gateway deployments, effectively multiplying the blast radius of any compromised low-privilege agent. With only 4 tracked downstream dependents, no public exploit code, no EPSS data, and no CISA KEV listing, overall risk is low; however, organizations running OpenClaw in multi-tenant or shared-gateway configurations should upgrade to 2026.4.20 immediately.

Is GHSA-xrq9-jm7v-g9h7 actively exploited?

No confirmed active exploitation of GHSA-xrq9-jm7v-g9h7 has been reported, but organizations should still patch proactively.

How to fix GHSA-xrq9-jm7v-g9h7?

1. Upgrade openclaw (npm) to version 2026.4.20 or later—this is the only fix; no workaround fully closes the gap. 2. Audit current gateway configurations to identify multi-device or multi-tenant deployments where device-level session isolation was assumed. 3. Review pairing audit logs for anomalous cross-device approval activity prior to patching. 4. As a temporary measure, restrict all pairing management operations to admin-privileged sessions only until the patch is deployed. 5. Monitor for unexpected device pairing approvals within shared gateways post-remediation.

What systems are affected by GHSA-xrq9-jm7v-g9h7?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-device AI agent deployments, gateway-based agent orchestration.

What is the CVSS score for GHSA-xrq9-jm7v-g9h7?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-device AI agent deploymentsgateway-based agent orchestration

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.1

NIST AI RMF: GOVERN 6.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact A paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling. This is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low. ## Fix Pairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests. Fix commit: - `5a12f30441d5b0b151f550daa2c5c9e8db61e2e6` ## Release Fixed in OpenClaw `2026.4.20`.

Exploitation Scenario

An adversary compromises a low-privilege IoT device or peripheral AI agent that holds a valid paired session on the target OpenClaw gateway. Using this limited session, they query the global pairing state API to enumerate pending device pairing requests from other principals within the gateway scope. They identify a high-value pending request—such as a privileged orchestrator agent with broad tool access—and approve it on behalf of the victim device. This establishes an unauthorized paired session for the privileged agent, effectively hijacking its identity within the framework without triggering admin-level authentication checks.

Weaknesses (CWE)

CWE-284 Improper Access Control Primary CWE-863 Incorrect Authorization Primary

CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.