OpenClaw Vulnerabilities Allow Policy Bypass & Host Override

Recently, cybersecurity researchers disclosed three moderate-severity vulnerabilities in OpenClaw, an AI agent framework formerly known as Clawdbot and Moltbot.

Distributed as an npm package, these security flaws allow bypasses of policy enforcement, gateway configuration mutations, and host override attacks that could lead to credential exposure.

The development team has released OpenClaw version 2026.4.20 to patch all three vulnerabilities.

Users running versions before 2026.4.20 are strongly advised to update their deployments immediately to protect their environments.

Gateway Configuration Mutation Flaw

The first vulnerability, identified as GHSA-7jm2-g593-4qrc, involves a flaw in how OpenClaw handles agent gateway configuration mutations.

The existing security guards for configuration patching did not adequately cover several sensitive, operator-trusted settings.

These overlooked settings include sandbox policies, plugin enablements, Server-Side Request Forgery policies, and filesystem hardening rules.

If an AI model receives prompt-injected instructions and has access to the owner-only gateway tool, it could persistently alter these critical settings.

While this is a model-to-operator guard bypass rather than a remote, unauthenticated compromise, it still poses a significant risk.

The patch resolves this by blocking model-driven mutations for a broader set of operator-trusted paths.

Tool Policy Enforcement Bypass

The second flaw, tracked as GHSA-qrp5-gfw2-gxv4, affects how bundled Model Context Protocol and Language Server Protocol tools are processed.

In vulnerable versions, these bundled tools could be added to an agent’s active tool set after the system had already applied its core filtering rules.

Consequently, even if a system administrator sets strict tool policies, such as explicit deny lists, sandbox rules, or owner-only restrictions, a bundled tool could bypass these defenses and remain active.

This local agent policy-enforcement bypass has been fixed in the latest release by applying a final, comprehensive policy check to all bundled tools before merging them into the active tool set.

Host Override and Credential Exposure

The third issue, designated as GHSA-h2vw-ph2c-jvwf, centers on a workspace configuration vulnerability.

An attacker with control over a local workspace environment file could manipulate the API host setting.

By injecting a malicious URL into this configuration, the attacker could redirect legitimate, credentialed requests to an external server under their control.

This redirection would expose sensitive API keys within the outbound authorization headers.

To address this risk, the OpenClaw team has updated the software to block the API host setting from being injected via workspace environment files, effectively preventing this credential-stealing attack.

These discoveries highlight the importance of securing AI agent frameworks against both prompt injection and local environment manipulation.

Organizations using OpenClaw should verify their package versions and upgrade to version 2026.4.20 to ensure their AI operations remain secure and compliant with their internal policies.

The prompt patching of these issues demonstrates the critical need for continuous security monitoring in rapidly evolving artificial intelligence deployment environments.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.