GHSA-57R2-H2WJ-G887: Trust Boundary Violation in OpenClaw Isolated Cron Awareness Events
Vulnerability ID: GHSA-57R2-H2WJ-G887
CVSS Score: 3.3
Published: 2026-04-25
OpenClaw versions prior to 2026.4.17 contain a vulnerability where isolated cron agents fail to explicitly mark external webhook data as untrusted. This allows external inputs to be promoted to the main session stream with authoritative system provenance labels.
TL;DR
Missing trust labels in OpenClaw cron dispatch allow external inputs to impersonate authoritative system events, leading to potential LLM prompt injection and UI spoofing.
Technical Details
- CWE ID: CWE-345 / CWE-451
- Attack Vector: Network
- CVSS Score: 3.3 (Low)
- Exploit Status: None
- KEV Status: Not Listed
- Impact: Prompt Injection / UI Spoofing
Affected Systems
- OpenClaw
-
openclaw: < 2026.4.17 (Fixed in:
2026.4.17)
Mitigation Strategies
- Upgrade the openclaw npm package to version 2026.4.17 or higher.
- Explicitly define provenance flags (trusted: false) when calling enqueueSystemEvent from any external-facing service.
- Implement defense-in-depth within custom UIs to verify event source contexts against provenance labels.
Remediation Steps:
- Identify all deployments utilizing the openclaw package.
- Execute package manager updates to pull version 2026.4.17.
- Audit custom cron scripts mapping external inputs to enqueueSystemEvent to ensure they apply the trusted flag.
- Verify that LLM integrations prioritize system prompts appropriately and treat session stream events carefully.
References
Read the full report for GHSA-57R2-H2WJ-G887 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)