DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-W5C7-9QQW-6645: The Whisper Game: Agent-to-Agent Privilege Escalation in OpenClaw

#security #cve #cybersecurity #ghsa

The Whisper Game: Agent-to-Agent Privilege Escalation in OpenClaw

Vulnerability ID: GHSA-W5C7-9QQW-6645
CVSS Score: 8.6
Published: 2026-02-18

A critical flaw in OpenClaw's orchestration engine allowed low-privilege AI agents to masquerade as the human user when communicating with high-privilege agents. By failing to track instruction provenance, the system treated internal 'inter-session' messages as direct user commands, enabling a classic confused deputy attack where a compromised sub-agent could coerce the admin agent into executing arbitrary code.

TL;DR

OpenClaw agents could talk to each other, but the system forgot to check who was talking. A compromised 'Email Reader' agent could send a message to the 'System Admin' agent via the sessions_send tool. The Admin agent would see this message as coming directly from the User (God Mode) and happily execute commands like rm -rf /, bypassing all authorization checks.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Instruction Provenance Confusion
  • Attack Vector: Indirect Prompt Injection
  • CVSS Score (Est): 8.6 (High)
  • Affected Component: sessions_send tool / Transcript Storage
  • Patched Version: v2026.2.12
  • Exploit Maturity: PoC / Conceptual

Affected Systems

  • OpenClaw AI Orchestrator
  • Multi-Agent Systems using sessions_send tool
  • OpenClaw: < v2026.2.12 (Fixed in: v2026.2.12)

Code Analysis

Commit: 85409e4

Fix: introduce input provenance and sanitize inter-session messages

+ export type InputProvenance = { kind: "inter_session" ... }
- messages.push({ role: "user", content: ... })
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Advisory: Conceptual PoC demonstrating privilege escalation via sessions_send

Mitigation Strategies

  • Update to OpenClaw v2026.2.12 immediately to enforce provenance tracking.
  • Disable the sessions_send tool for agents that process untrusted external input (web, email).
  • Implement human_approval: true for sensitive tools like exec_bash or write_file.
  • Review system prompts to explicitly instruct agents to treat [Inter-session message] content with skepticism.

Remediation Steps:

  1. Pull the latest docker image or git repository for OpenClaw.
  2. Verify that src/sessions/input-provenance.ts exists in your source tree.
  3. Restart the agent orchestration service.
  4. Audit existing .jsonl session logs for historical anomalies where role: 'user' messages appear without provenance metadata.

References

Read the full report for GHSA-W5C7-9QQW-6645 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)