Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions. Attackers with local agent access can append restricted tools to the effective tool set after policy filtering, bypassing profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies.
AnalysisAI
OpenClaw before version 2026.4.20 allows authenticated local agents to bypass tool policy restrictions by appending bundled MCP and LSP tools to the effective tool set after policy filtering has completed. Attackers with local agent access can circumvent profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies, potentially gaining unauthorized access to restricted tools. This vulnerability requires a configured bundled tool source and an operator-defined restrictive policy; no active exploitation has been identified.
Technical ContextAI
OpenClaw is a Node.js-based agentic framework (distributed via npm) that manages tool access through a multi-layered policy pipeline. The vulnerability exists in the embedded agent runner component, specifically in how bundled MCP (Model Context Protocol) and LSP (Language Server Protocol) tools are integrated into the effective tool set. The root cause (CWE-863: Incorrect Authorization) stems from improper validation logic: bundled tools are merged into the effective tool set before final policy filtering is applied, whereas core tools are subject to all policy checks. The policy pipeline includes tool profiles, provider profiles, global/agent/group policies, owner-only filtering, sandbox restrictions, and subagent constraints. The fix introduces a new applyFinalEffectiveToolPolicy function that applies comprehensive policy filtering to bundled tools after they are merged, ensuring parity with core tool authorization checks. The affected CPE is cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:* for all versions prior to 2026.4.20.
RemediationAI
Upgrade OpenClaw to version 2026.4.20 or later immediately. This patched version applies final effective tool policy filtering to bundled MCP/LSP tools before they are merged into the active tool set, ensuring that profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies are uniformly enforced. The upstream fix commit is 0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada. Until patching is possible, operators should review and tighten configurations: disable bundled MCP/LSP tool sources if not required, explicitly remove restricted tools from allow lists if they are unnecessarily permissive, and audit which agents have local policy-override capabilities. These compensating controls limit attack surface but do not eliminate the underlying vulnerability. The trade-off of disabling bundled tools is reduced functionality; the trade-off of stricter policies is increased administrative overhead.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29143
GHSA-fr55-95rr-vm5x