Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local vector with low privileges required to reach the MCP loopback path; high integrity impact from unrestricted owner-tool invocation; no scope change as subsequent systems are unaffected per available data.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1Blast Radius
ecosystem impact- 2 npm packages depend on openclaw (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.4.24.
DescriptionCVE.org
OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies and before-tool-call hooks. Attackers can invoke owner-only behavior through the affected loopback path to execute restricted tools when the feature is enabled and reachable.
AnalysisAI
Authorization bypass in OpenClaw before 2026.4.24 allows local, low-privileged callers to circumvent owner-only tool policies and before-tool-call hooks via the MCP loopback feature. By routing requests through the affected loopback path, a non-owner principal can invoke tools that should be restricted to the owner role, effectively escalating effective privileges within the application. No public exploit code has been identified at time of analysis, but a vendor patch has been released and the vulnerability was reported by VulnCheck.
Technical ContextAI
OpenClaw implements the Model Context Protocol (MCP), an emerging standard for tool-calling interfaces in AI agent frameworks. The MCP loopback feature is an internal routing mechanism that allows tool calls to be reflected back through the local MCP endpoint. The root cause maps to CWE-862 (Missing Authorization): the loopback code path does not enforce the same owner-only policy checks that the standard call path applies, nor does it invoke before-tool-call hooks that would ordinarily gate privileged operations. Affected versions are all OpenClaw releases prior to 2026.4.24, per CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*. The CVSS 4.0 vector AV:L/PR:L confirms the attack is local and requires low-privilege access, consistent with a process-level or account-level trust boundary failure rather than a network-exposed flaw.
RemediationAI
The primary fix is to upgrade OpenClaw to version 2026.4.24 or later, which resolves the missing authorization check in the MCP loopback code path per the vendor advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-rj6p-xmxr-qj4h. If immediate patching is not feasible, the most targeted compensating control is to disable the MCP loopback feature entirely; this eliminates the vulnerable code path but will break any workflows or integrations that depend on loopback-routed tool calls - operators should verify functional impact before disabling. If disabling the feature is not possible, restricting local access to the MCP loopback endpoint via OS-level access controls (e.g., restricting which accounts can invoke or connect to the loopback interface) reduces the attacker pool to owner-equivalent users, mitigating the privilege escalation risk while preserving feature availability. No version prior to 2026.4.24 should be considered safe for deployments where non-owner users have local access.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36324
GHSA-rj6p-xmxr-qj4h