Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable but requires targeting a specific dispatch path (AC:H); low-privilege authentication required (PR:L); integrity impact only, no confidentiality or availability effect.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.5.6.
DescriptionCVE.org
OpenClaw before 2026.5.6 contains a hook bypass vulnerability where skill commands routed through the affected dispatch path skip before-tool-call hook coverage. Attackers can exploit this by sending skill commands through the vulnerable dispatch path to bypass hook-based auditing and policy enforcement mechanisms.
AnalysisAI
Hook-based policy enforcement bypass in OpenClaw before 2026.5.6 allows authenticated low-privilege network attackers to route skill commands through a specific vulnerable dispatch path, causing before-tool-call hooks to be skipped entirely. This silently circumvents audit logging and policy enforcement mechanisms that defenders rely on to detect and govern tool invocation behavior within the framework. No public exploit code has been identified at time of analysis, and CVSS 4.0 rates this at 2.3 (Low) with specific attack requirements (AT:P), limiting real-world risk primarily to environments that actively depend on hook-based security controls.
Technical ContextAI
OpenClaw is a tool and agent orchestration framework that routes skill commands through a dispatch path and invokes lifecycle hooks - specifically before-tool-call hooks - to apply policy enforcement and auditing prior to tool execution. The affected code path (CPE: cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) fails to invoke these hooks when skill commands traverse a specific alternative dispatch route, leaving hook coverage absent for that path. The root cause is classified as CWE-693 (Protection Mechanism Failure), meaning a security control exists in the product but can be rendered ineffective without the mechanism itself being compromised. This vulnerability does not grant direct data access or arbitrary code execution; it removes a defense-in-depth layer from tool invocations.
RemediationAI
Upgrade OpenClaw to version 2026.5.6 or later, which resolves the dispatch path flaw and ensures before-tool-call hooks are consistently invoked for all skill command routes. Consult the vendor security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-68xw-r643-9p5w for patch release confirmation and any additional guidance. If an immediate upgrade is not feasible, restrict access to the vulnerable dispatch path at the application or network layer so that only fully-vetted clients can issue skill commands - note this may disrupt legitimate workflows that depend on that path. As a compensating control, supplement OpenClaw hook-based auditing with out-of-band logging at the infrastructure level, such as reverse proxy access logs or network flow capture, so that tool invocations remain observable even if hooks are bypassed; this does not prevent the bypass but restores visibility.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37147
GHSA-r7vv-6763-m739