GHSA-943Q-MWMV-HHVH

GHSA-943Q-MWMV-HHVH is a high-severity OS command injection vulnerability in openclaw (npm), affecting versions < 2026.2.14. It is fixed in 2026.2.14.

Summary

OpenClaw Gateway exposes an authenticated HTTP endpoint (POST /tools/invoke) intended for invoking a constrained set of tools. Two issues could combine to significantly increase blast radius in misconfigured or exposed deployments:

  • The HTTP gateway layer did not deny high-risk session orchestration tools by default, allowing a caller with Gateway auth to invoke tools like sessions_spawn / sessions_send and pivot into creating or controlling agent sessions.
  • ACP clients could auto-approve permission requests for risky tools with insufficient user interaction/guardrails, reducing the friction that should normally prevent silent execution or mutation.

CVSS

  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8)

Affected versions

  • openclaw < 2026.2.14

Fixed in

  • openclaw >= 2026.2.14

Mitigations / deployment guidance

  • Keep the Gateway loopback-only unless you have a strong reason not to: gateway.bind="loopback" / openclaw gateway run --bind loopback.
  • Avoid exposing the Gateway directly to the public internet. Use an SSH tunnel or Tailscale to access a loopback-bound Gateway.
  • Treat opting in to default-denied HTTP tools (via gateway.tools.allow) as high-risk and audit such configurations carefully.

Credits

OpenClaw thanks @aether-ai-agent for reporting this issue and contributing remediation work.

Impact

If the Gateway is reachable by an attacker and they obtain a valid Gateway token, they may be able to:

  • Escalate from single-tool invocation to spawning/controlling sessions and reach command execution capabilities depending on tool policy and runtime environment.
  • Perform cross-session message injection via sessions_send.
  • In ACP-integrated scenarios, obtain unintended approvals for non-read/search tool permissions.

Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.

GHSA-943Q-MWMV-HHVH has a CVSS score of 8.8 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2026.2.14); upgrading removes the vulnerable code path.

Affected versions

openclaw (< 2026.2.14)

Security releases

openclaw → 2026.2.14 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

The default behavior is now hardened:

  • PR #15390: deny high-risk tools over HTTP /tools/invoke by default (with gateway.tools.{allow,deny} overrides) and harden ACP permission handling.
  • Commit bb1c3dfe1: ACP clients now prompt for any non-read/search permission request (fail closed for mutating/execution/fetch operations).
  • Commit 539689a2f: security audit warns when gateway.tools.allow re-enables default-denied HTTP tools, since this can increase RCE blast radius if the Gateway is reachable.
  • Commit 153a7644e: ACP safe-kind inference is stricter to avoid accidental auto-approval due to substring matches (still auto-approves only confident read/search).

Frequently Asked Questions

  1. What is GHSA-943Q-MWMV-HHVH? GHSA-943Q-MWMV-HHVH is a high-severity OS command injection vulnerability in openclaw (npm), affecting versions < 2026.2.14. It is fixed in 2026.2.14. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
  2. How severe is GHSA-943Q-MWMV-HHVH? GHSA-943Q-MWMV-HHVH has a CVSS score of 8.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of openclaw are affected by GHSA-943Q-MWMV-HHVH? openclaw (npm) versions < 2026.2.14 is affected.
  4. Is there a fix for GHSA-943Q-MWMV-HHVH? Yes. GHSA-943Q-MWMV-HHVH is fixed in 2026.2.14. Upgrade to this version or later.
  5. Is GHSA-943Q-MWMV-HHVH exploitable, and should I be worried? Whether GHSA-943Q-MWMV-HHVH is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-943Q-MWMV-HHVH is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-943Q-MWMV-HHVH? Upgrade openclaw to 2026.2.14 or later.

Other vulnerabilities in openclaw

CVE-2026-53811CVE-2026-53816CVE-2026-53806CVE-2026-53818CVE-2026-53809

Stop the waste.
Protect your environment with Kodem.