OpenClaw — Three Flaws Enable Policy Bypass and API Credential Theft

AI relevance: Three vulnerabilities in OpenClaw before 2026.4.20 allow prompt-injected models to silently rewrite gateway security settings, bypass operator-defined tool allowlists through bundled MCP/LSP tools, and exfiltrate MiniMax API keys via a poisoned workspace .env file.

What happened

• Gateway configuration bypass: A prompt-injected model could override operator safeguards and modify trusted gateway settings, including sandbox policies, plugin enablement, secure hook routing, MCP server configurations, and filesystem protections — permanently altering system behavior.
• Bundled MCP/LSP tool policy evasion: Bundled MCP and LSP tools appended themselves to an agent's active toolset after the core policy filter ran, meaning strict allowlists, denylists, and sandbox tool policies could be silently circumvented.
• Workspace .env credential exfiltration: Versions 2026.4.5 through 2026.4.20 improperly handled workspace environment variables. A malicious .env file could override the MINIMAX_API_HOST setting, redirecting credentialed MiniMax API requests to an attacker-controlled server and leaking the API key in the outbound authorization header.
• The OpenClaw team addressed all three issues in version 2026.4.20, published alongside a GitHub Security Advisory (GHSA-7jm2-g593-4qrc).
• The fix for the gateway bypass now blocks model-driven changes across all sensitive configuration paths, including per-agent overrides and array-entry patching.
• The bundled tools fix introduces a final validation pass that checks every tool against security policies before merging it into the active operational toolset.
• The workspace fix blocks MINIMAX_API_HOST from environment-variable injection entirely and removes the vulnerable URL routing method.

Why it matters

• These flaws illustrate a recurring pattern in agent frameworks: the gap between operator-intent (what the admin configured) and runtime-reality (what the model can actually do) remains wide.
• The bundled-tool evasion is particularly instructive — even when operators deploy explicit restrictive policies, the framework's own shipping tools can silently nullify them. This is a design-time risk, not just a configuration error.
• The workspace .env credential leak demonstrates how agent filesystem access creates a novel attack vector: attackers don't need to compromise the agent itself — they only need to plant a file in a workspace the agent will later execute from.
• With OpenClaw's rapidly growing install base, even moderate-severity flaws affect a large and expanding attack surface.

What to do

• Upgrade to OpenClaw 2026.4.20 or later immediately: npm install openclaw@2026.4.20
• Audit existing workspace directories for suspicious .env files, especially any that override MINIMAX_API_HOST or similar API endpoint variables.
• Review bundled MCP/LSP tools in your deployment and verify they comply with your tool policy after upgrading — the fix adds a post-filter validation that may change runtime behavior.
• If you run OpenClaw in production, treat the agent's filesystem-accessible directories as part of your trusted computing base — files there can alter agent behavior as much as configuration changes.

Sources

• GitHub Security Advisory — GHSA-7jm2-g593-4qrc
• GBHackers — OpenClaw Flaws Expose Systems to Policy Bypass Attacks
• CyberPress — Multiple OpenClaw Vulnerabilities Enable Policy Bypass and Host Override Attacks