Multiple OpenClaw Vulnerabilities Enables Policy Bypass and Host Override
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Cybersecurity researchers have recently disclosed three moderate-severity vulnerabilities in OpenClaw<\/a>, an AI agent framework previously known as Clawdbot and Moltbot.<\/p>\n Distributed as an npm package, these security flaws allow bypasses of policy enforcement, gateway configuration mutations, and host override attacks that could lead to credential exposure.<\/p>\n The development team has released OpenClaw version 2026.4.20 to patch all three vulnerabilities.<\/p>\n Users running versions before 2026.4.20 are strongly advised to update their deployments immediately to protect their environments.<\/p>\n The first vulnerability, identified as GHSA-7jm2-g593-4qrc<\/a>, involves a flaw in how OpenClaw handles agent gateway configuration mutations.<\/p>\n The existing security guards for configuration patching did not adequately cover several sensitive, operator-trusted settings.<\/p>\n These overlooked settings include sandbox policies, plugin enablements, Server-Side Request Forgery<\/a> policies<\/a>, and filesystem hardening rules.<\/p>\n If an AI model receives prompt-injected instructions and has access to the owner-only gateway tool, it could persistently alter these critical settings.<\/p>\n While this is a model-to-operator guard bypass rather than a remote, unauthenticated compromise, it still poses a significant risk.<\/p>\n The patch resolves this by blocking model-driven mutations for a broader set of operator-trusted paths.<\/p>\n The second flaw, tracked as GHSA-qrp5-gfw2-gxv4, affects how bundled Model Context Protocol<\/a> and Language Server Protocol tools are processed.<\/p>\n In vulnerable versions, these bundled tools could be added to an agent\u2019s active tool set after the system had already applied its core filtering rules.<\/p>\n Consequently, even if a system administrator sets strict tool policies, such as explicit deny lists, sandbox rules, or owner-only restrictions, a bundled tool could bypass these defenses and remain active.<\/p>\n This local agent policy-enforcement bypass has been fixed in the latest release<\/a> by applying a final, comprehensive policy check to all bundled tools before merging them into the active tool set.<\/p>\n The third issue, designated as GHSA-h2vw-ph2c-jvwf, centers on a workspace configuration vulnerability.<\/p>\n An attacker with control over a local workspace environment file could manipulate the API host setting.<\/p>\n By injecting a malicious URL<\/a> into this configuration, the attacker could redirect legitimate, credentialed requests to an external server under their control.<\/p>\n This redirection would expose sensitive API keys within the outbound authorization headers.<\/p>\n To address this risk, the OpenClaw team has updated the software to block the API host setting from being injected via workspace environment files, effectively preventing this credential-stealing attack<\/a>.<\/p>\n These discoveries highlight the importance of securing AI agent frameworks<\/a> against both prompt injection and local environment manipulation.<\/p>\n Organizations using OpenClaw should verify their package versions and upgrade to version 2026.4.20 to ensure their AI operations remain secure and compliant with their internal policies.<\/p>\n The prompt patching of these issues demonstrates the critical need for continuous security monitoring in rapidly evolving artificial intelligence<\/a> deployment environments.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Multiple OpenClaw Vulnerabilities Enables Policy Bypass and Host Override<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nGateway Configuration Mutation Flaw<\/strong><\/h2>\n
Tool Policy Enforcement Bypass<\/strong><\/h2>\n
Host Override and Credential Exposure<\/strong><\/h2>\n