Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-w5c7-9qqw-6645

OpenClaw inter-session prompts could be treated as direct user instructions
Back to all
CVE

GHSA-w5c7-9qqw-6645

OpenClaw inter-session prompts could be treated as direct user instructions

Summary

Inter-session messages sent via sessions_send could be interpreted as direct end-user instructions because they were persisted as role: "user" without provenance metadata.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.2.12 (i.e. < 2026.2.13)
  • Fixed in: 2026.2.13 (patched versions >= 2026.2.13)

Impact

A delegated or internal session could inject instructions into another session that appeared equivalent to externally-originated user input.

This is an instruction-provenance confusion issue (confused-deputy style), which can lead to unintended privileged behavior in workflows that trust role: "user" as a sole authority signal.

Technical details

Before the fix, routed inter-session prompts were stored as regular user turns without a verifiable source marker.

As a result, downstream workers and transcript readers could not distinguish:

  • External user input
  • Internal inter-session routed input

Fix

OpenClaw now carries explicit input provenance end-to-end for routed prompts.

Key changes:

  • Added structured provenance model (inputProvenance) with kind values including inter_session.
  • sessions_send and agent-to-agent steps now set inter-session provenance when invoking target runs.
  • Provenance is persisted on user messages as message.provenance.kind = "inter_session" (role remains user for provider compatibility).
  • Transcript readers and memory helpers were updated to respect provenance and avoid treating inter-session prompts as external user-originated input.
  • Runtime context rebuilding now annotates inter-session turns with an explicit in-memory marker ([Inter-session message]) for clearer model-side disambiguation.
  • Regression tests were added for transcript parsing, session tools flow, runner sanitization, and memory hook behavior.

Fix Commit(s)

  • 85409e401b6586f83954cb53552395d7aab04797

Workarounds

If immediate upgrade is not possible:

  • Disable or restrict sessions_send in affected environments.
  • Do not use role alone as an authority boundary; require provenance-aware checks in orchestration logic.

Credit

Reported by @anbecker.

Thanks @anbecker for reporting.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
C
H
U
7.1
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Related Resources

No items found.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-w5c7-9qqw-6645, https://github.com/openclaw/openclaw/commit/85409e401b6586f83954cb53552395d7aab04797, https://github.com/openclaw/openclaw, https://github.com/openclaw/openclaw/releases/tag/v2026.2.12

Severity

7.1

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.1
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
0,2026.2.6-1,2026.2.6,2026.2.2,2026.1.29-beta.1,2026.1.27-beta.1,2026.1.20,2026.1.14-1,2026.1.12,2026.1.8,2026.1.4,2.0.0-beta2,2.0.0-beta1
Fix Available
2026.2.13,2026.2.12,2026.2.14

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading