Skip to main content

OpenClaw CVE-2026-53818

| EUVDEUVD-2026-36324 MEDIUM
Missing Authorization (CWE-862)
2026-06-11 VulnCheck GHSA-rj6p-xmxr-qj4h
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.6 MEDIUM

Local vector with low privileges required to reach the MCP loopback path; high integrity impact from unrestricted owner-tool invocation; no scope change as subsequent systems are unaffected per available data.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 11, 2026 - 21:32 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on openclaw (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.4.24.

DescriptionCVE.org

OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies and before-tool-call hooks. Attackers can invoke owner-only behavior through the affected loopback path to execute restricted tools when the feature is enabled and reachable.

AnalysisAI

Authorization bypass in OpenClaw before 2026.4.24 allows local, low-privileged callers to circumvent owner-only tool policies and before-tool-call hooks via the MCP loopback feature. By routing requests through the affected loopback path, a non-owner principal can invoke tools that should be restricted to the owner role, effectively escalating effective privileges within the application. No public exploit code has been identified at time of analysis, but a vendor patch has been released and the vulnerability was reported by VulnCheck.

Technical ContextAI

OpenClaw implements the Model Context Protocol (MCP), an emerging standard for tool-calling interfaces in AI agent frameworks. The MCP loopback feature is an internal routing mechanism that allows tool calls to be reflected back through the local MCP endpoint. The root cause maps to CWE-862 (Missing Authorization): the loopback code path does not enforce the same owner-only policy checks that the standard call path applies, nor does it invoke before-tool-call hooks that would ordinarily gate privileged operations. Affected versions are all OpenClaw releases prior to 2026.4.24, per CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*. The CVSS 4.0 vector AV:L/PR:L confirms the attack is local and requires low-privilege access, consistent with a process-level or account-level trust boundary failure rather than a network-exposed flaw.

RemediationAI

The primary fix is to upgrade OpenClaw to version 2026.4.24 or later, which resolves the missing authorization check in the MCP loopback code path per the vendor advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-rj6p-xmxr-qj4h. If immediate patching is not feasible, the most targeted compensating control is to disable the MCP loopback feature entirely; this eliminates the vulnerable code path but will break any workflows or integrations that depend on loopback-routed tool calls - operators should verify functional impact before disabling. If disabling the feature is not possible, restricting local access to the MCP loopback endpoint via OS-level access controls (e.g., restricting which accounts can invoke or connect to the loopback interface) reduces the attacker pool to owner-equivalent users, mitigating the privilege escalation risk while preserving feature availability. No version prior to 2026.4.24 should be considered safe for deployments where non-owner users have local access.

CVE-2026-28446 CRITICAL POC
9.4 Mar 05

Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.

CVE-2026-33579 CRITICAL POC
9.4 Mar 31

Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b

CVE-2026-32042 HIGH POC
8.8 Mar 21

OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att

CVE-2026-32051 HIGH POC
8.8 Mar 21

An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.

CVE-2026-25253 HIGH POC
8.8 Feb 01

OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e

CVE-2026-32846 HIGH POC
8.7 Mar 26

Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in

CVE-2026-32064 HIGH POC
7.7 Mar 21

OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all

CVE-2026-32055 HIGH POC
7.6 Mar 21

OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director

CVE-2026-32056 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func

CVE-2026-32049 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste

CVE-2026-32048 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low

CVE-2026-25474 HIGH POC
7.5 Feb 19

OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec

Share

CVE-2026-53818 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy