GHSA-cwj3-vqpp-pmxr — high GitHub Advisory in npm/openclaw

Description

Summary

The agent-facing gateway tool protects config.apply and config.patch with a model-to-operator trust boundary. That guard used a hand-maintained denylist of protected config paths. The config schema outgrew that denylist, leaving sensitive subtrees writable through model-driven gateway config mutations.

Impact

A prompt-injected or otherwise compromised model running with access to the owner-only gateway tool could persist unsafe config changes that crossed security boundaries. Examples included config paths affecting command execution, network/proxy/TLS behavior, credential forwarding, telemetry or hook endpoints, memory/indexing surfaces, and operator policy controls. These changes could survive restart once written to config.

Affected Packages / Versions

Package: openclaw on npm
Affected: versions before 2026.4.23
Fixed: 2026.4.23
Latest stable verified fixed: [email protected], tag v2026.4.23

Fix

OpenClaw replaced the denylist with a fail-closed allowlist. Agent-driven gateway config.apply and gateway config.patch now permit only narrow agent-tunable prompt/model settings and mention-gating paths. Other config changes are rejected before the gateway mutation RPC is invoked.

Fix Commit(s)

bceda6089aa7b3695cc7696b43c61ae3d01bb0ec (fix(gateway): fail closed on runtime config edits)

Severity

Severity remains high. The vulnerable entry point is owner-only, but the model/agent is not a trusted principal under OpenClaw's security model, and the guard is the explicit model-to-operator boundary for persisted config mutation.

Basic information

Type: reviewed
Severity: high
Advisory on GitHub: Open advisory ↗
Repository advisory: Open repository advisory ↗
Source code: Browse source ↗
Published (advisory): 2026-05-05 18:44:31 UTC
Updated: 2026-05-29 03:48:52 UTC
GitHub reviewed: 2026-05-05 18:44:31 UTC

CVSS Scores

Base score	Version	Severity	Vector
8.8	3.1	—	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.

Identifiers

Type	Value
GHSA	GHSA-cwj3-vqpp-pmxr ↗

CWEs

CWE id	Name
CWE-862	Missing Authorization

Credits

zsxsoft (reporter)
qclawer (sponsor)
KeenSecurityLab (sponsor)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
npm	openclaw	< 2026.4.23	2026.4.23	—

OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes