Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local attack vector and low privileges confirmed by loopback path; high integrity from unrestricted command execution; no scope change as subsequent systems are unaffected.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attackers can reach the affected bundled MCP session-spawn path to start sessions with broader command reach than intended.
AnalysisAI
OpenClaw's bundled MCP loopback session-spawn path fails to enforce its exec denylist, allowing authenticated low-privilege callers to execute commands that should be restricted. Affected versions are all OpenClaw releases prior to 2026.5.12. An attacker with local, authenticated access can spawn MCP sessions through the loopback path to gain command reach exceeding their authorized scope, resulting in high integrity impact on the vulnerable system. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
OpenClaw (CPE: cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) implements the Model Context Protocol (MCP), an AI tool-integration protocol that allows clients to invoke server-side capabilities including process execution. The bundled MCP component exposes a loopback session-spawn path - a local interface used to instantiate new MCP sessions. This path is supposed to honor an exec denylist that restricts which commands can be run. CWE-862 (Missing Authorization) identifies the root cause: the session-spawn code path does not re-validate or enforce the denylist when spawning sessions via the loopback mechanism, effectively creating an authorization gap between what the denylist intends to block and what the loopback path actually permits. The CVSS 4.0 vector (AV:L) confirms exploitation requires local system access, consistent with a loopback-bound interface.
RemediationAI
Upgrade to OpenClaw 2026.5.12 or later, which resolves the exec denylist bypass in the bundled MCP loopback session-spawn path per the vendor advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-qh2f-99mv-mrcf. If immediate patching is not possible, restrict local system access to only trusted, authorized users who require OpenClaw functionality, reducing the pool of callers who could reach the loopback session-spawn path. Additionally, consider disabling or isolating the bundled MCP session-spawn feature if it is not required by your deployment - note that this may break MCP-dependent integrations. Audit local accounts and service credentials with access to the OpenClaw process to enumerate who could currently exploit this path.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36608
GHSA-jxfq-h7pm-67ph