Lower-trust background runtime output is injected into trusted System: events, and local async exec completion misses the intended exec-event downgrade.
Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
openclaw (npm)<= 2026.4.22026.4.8The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary.
Thanks @tdjackey for reporting.
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.3 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-gfmx-pph7-g46x ↗ |
| CWE id | Name |
|---|---|
| CWE-501 | Trust Boundary Violation |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | openclaw | <= 2026.4.2 | 2026.4.8 | — |