OpenClaw patches three flaws that could bypass AI agent safety rules

OpenClaw has patched three moderate-severity security vulnerabilities that could let AI agents bypass tool policies, change protected gateway settings, or redirect credentialed API requests. The fixes arrived in OpenClaw 2026.4.20, and users running older affected versions should update immediately.

The flaws affect the openclaw npm package, which powers an open-source personal AI assistant that can run locally, connect to messaging channels, and interact with tools, files, services, and workflows. The project’s own GitHub page describes OpenClaw as a personal assistant that runs on a user’s devices and uses the gateway as its control plane.

The main concern is control. AI agent frameworks often connect models to real actions, such as files, APIs, plugins, web automation, and external services. If policy checks fail, a prompt-injected model or attacker-controlled workspace can reach places that an operator meant to restrict.

Three OpenClaw vulnerabilities fixed in one release

The first issue is tracked as GHSA-7jm2-g593-4qrc. GitHub’s advisory says OpenClaw’s gateway configuration patching guard did not protect several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth and TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening.

That means a prompt-injected model with access to the owner-only gateway tool could persist changes to sensitive settings. GitHub classifies the issue as moderate severity, with a CVSS score of 6.0.

OpenClaw fixed this by blocking model-driven gateway configuration changes across a broader set of protected operator paths. The patch also covers per-agent overrides and array-entry patching, which closes gaps that could let sensitive settings change indirectly.

Advisory	Issue	Affected versions	Fixed version	Severity
GHSA-7jm2-g593-4qrc	Gateway configuration mutation	< 2026.4.20	2026.4.20	Moderate
GHSA-qrp5-gfw2-gxv4	MCP and LSP tool policy bypass	< 2026.4.20	2026.4.20	Moderate
GHSA-h2vw-ph2c-jvwf	MiniMax host override via workspace .env	>= 2026.4.5, < 2026.4.20	2026.4.20	Moderate

Bundled tools could bypass policy checks

The second flaw, GHSA-qrp5-gfw2-gxv4, affects bundled MCP and LSP tools. According to GitHub, these tools could be added to an agent’s active tool set after OpenClaw had already applied its normal policy filtering process.

This matters because operators may set strict rules for agents. Those rules can include allow lists, deny lists, owner-only restrictions, sandbox tool policies, or subagent policies.

In vulnerable versions, a bundled MCP or LSP tool could remain available even when the same policy should have blocked it. GitHub says this was a local agent policy-enforcement bypass rather than an unauthenticated remote gateway compromise.

Host override flaw could expose API keys

The third vulnerability, GHSA-h2vw-ph2c-jvwf, involves the MiniMax API request path. GitHub says a malicious workspace .env file could set MINIMAX_API_HOST and redirect credentialed MiniMax requests to an attacker-controlled server.

That could expose the MiniMax API key through the outbound Authorization header. The vulnerability requires OpenClaw to run from an attacker-controlled workspace, so it does not work as a simple remote compromise by itself.

OpenClaw fixed the problem by blocking MINIMAX_API_HOST from workspace dotenv injection and removing environment-driven URL routing from the affected MiniMax request path. GitHub gives this advisory a CVSS score of 6.8, making it the highest-rated of the three issues.

Why these OpenClaw flaws matter

These vulnerabilities show why AI agent security needs more than normal app patching. OpenClaw-style systems connect language models to tools, services, local files, and external APIs. A small policy mistake can turn into a wider access problem when an agent can act on instructions.

The gateway mutation flaw is especially important because it touches operator-trusted settings. These settings define what the agent can do, where it can connect, what tools it can use, and which filesystem protections apply.

The tool-policy flaw also shows a common AI agent risk. If bundled tools enter the active tool set after policy checks, the final agent behavior may not match the operator’s intended restrictions.

What users should do now

OpenClaw users should update to at least 2026.4.20, although the npm package now lists a newer latest version. The npm page shows openclaw as actively updated, with a newer release available after the security fixes.

Teams should also review agent policies after updating. A patch fixes the vulnerable code path, but it does not automatically confirm that an existing deployment has safe tool rules, safe workspace files, and limited API access.

For safer use, administrators should treat AI agent workspaces like code repositories. Do not run OpenClaw from untrusted workspaces, do not load unknown .env files, and do not grant agents broad tool permissions unless the workflow truly needs them.

Recommended security checks

• Upgrade OpenClaw to the latest available version, or at least 2026.4.20.
• Review all gateway configuration files for unexpected policy, plugin, TLS, SSRF, hook, MCP, or filesystem changes.
• Check whether any agent uses bundled MCP or LSP tools that should be restricted.
• Audit workspaces for untrusted .env files.
• Search for MINIMAX_API_HOST in workspace configuration files.
• Rotate exposed MiniMax API keys if OpenClaw ran inside an untrusted workspace.
• Use allow lists for sensitive tools instead of broad default access.
• Require human approval for actions that touch credentials, files, network access, or external APIs.

At a glance

Area	What changed
Product	OpenClaw
Package	openclaw on npm
Patched release	2026.4.20
Main risk	Policy bypass and credential exposure
Most sensitive flaw	MiniMax host override via workspace .env
Exploit type	Local or model-driven guard bypass, depending on the flaw
Required action	Update, review policies, audit workspaces, rotate exposed keys

FAQ