Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/CyberSecurity News/Critical OpenClaw Flaws Let Attackers Bypass Policies, Override Hosts
CyberSecurity News

Critical OpenClaw Flaws Let Attackers Bypass Policies, Override Hosts

Key Takeaways Three moderate-severity vulnerabilities have been discovered in OpenClaw, an AI agent framework. These flaws enable policy bypasses, gateway configuration manipulation, and host...

David kimber
David kimber
April 28, 2026 3 Min Read
42 0

Key Takeaways

  • Three moderate-severity vulnerabilities have been discovered in OpenClaw, an AI agent framework.
  • These flaws enable policy bypasses, gateway configuration manipulation, and host override attacks, potentially leading to credential exposure.
  • The vulnerabilities affect OpenClaw versions prior to 2026.4.20.
  • A patch is available in OpenClaw version 2026.4.20, and immediate updates are strongly recommended.

Cybersecurity researchers have identified three moderate-severity vulnerabilities within the OpenClaw AI agent framework, previously known as Clawdbot and Moltbot. These security issues, present in the npm package distribution of OpenClaw, could allow attackers to circumvent policy enforcement, modify gateway configurations, and execute host override attacks, ultimately risking the exposure of sensitive credentials.

Table Of Content

  • Key Takeaways
  • Gateway Configuration Mutation Flaw
  • Tool Policy Enforcement Bypass
  • Host Override and Credential Exposure
  • What You Should Do

The OpenClaw development team has responded promptly by releasing version 2026.4.20, which incorporates fixes for all three reported flaws. Users operating any version preceding 2026.4.20 are urged to update their deployments without delay to safeguard their environments.

Gateway Configuration Mutation Flaw

The first vulnerability, tracked as GHSA-7jm2-g593-4qrc, pertains to insufficient security measures within OpenClaw’s handling of agent gateway configuration updates. Existing safeguards for configuration patching failed to adequately protect several critical, operator-trusted settings. These overlooked parameters include sandbox policies, plugin activation rules, Server-Side Request Forgery (SSRF) policies, and filesystem hardening configurations.

Should an AI model receive maliciously crafted prompt-injected instructions and possess access to the owner-only gateway tool, it could persistently alter these sensitive settings. While this represents a bypass of model-to-operator security rather than an unauthenticated remote compromise, it still presents a substantial risk to operational integrity. The implemented patch addresses this by preventing model-driven mutations across a broader range of operator-trusted configuration paths.

Tool Policy Enforcement Bypass

The second identified flaw, designated GHSA-qrp5-gfw2-gxv4, impacts the processing of bundled Model Context Protocol (MCP) and Language Server Protocol (LSP) tools. In affected versions, these bundled tools could be added to an agent’s active tool set even after the system had already applied its primary filtering rules. This means that strict tool policies, such as explicit deny lists, sandbox restrictions, or owner-only access controls set by system administrators, could be bypassed, allowing bundled tools to remain active despite prohibitions.

This local agent policy-enforcement bypass has been rectified in the latest release by implementing a final, comprehensive policy validation check for all bundled tools before they are integrated into the active tool set.

Host Override and Credential Exposure

The third vulnerability, identified as GHSA-h2vw-ph2c-jvwf, stems from a flaw in workspace configuration handling. An attacker who gains control over a local workspace environment file could manipulate the API host setting. By injecting a malicious URL into this configuration, the attacker could redirect legitimate, credentialed requests to an external server under their control. Such redirection would expose sensitive API keys contained within outbound authorization headers.

To mitigate this risk, the OpenClaw team has updated the software to block the API host setting from being injected via workspace environment files, thereby thwarting this potential credential-stealing attack. These findings underscore the critical importance of securing AI agent frameworks against both prompt injection and local environment manipulation. The swift patching of these issues highlights the continuous need for robust security monitoring in the rapidly evolving landscape of artificial intelligence deployments.

What You Should Do

  • Immediately update all OpenClaw deployments to version 2026.4.20 or later.
  • Verify that your OpenClaw package versions are current to ensure protection against these vulnerabilities.
  • Review and strengthen internal policies regarding AI model interactions and tool access, particularly for owner-only gateway tools.
  • Implement strict access controls and monitoring for local workspace environment files to prevent unauthorized modifications.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityPatchSecurityVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Windows RDP Vulnerability Exposes Image Fragments to Attackers

Next Post

New Linux ELF Malware Generator Evades ML Detection

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us