Description
OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions. Attackers with local agent access can append restricted tools to the effective tool set after policy filtering, bypassing profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies.
Published: 2026-05-11
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw before version 2026.4.20 contains a vulnerability that allows an attacker with local agent access to append restricted tools to the effective tool set after policy filtering, thereby bypassing configured tool restrictions. The flaw enables bypass of profile policies, allow/deny lists, owner‑only restrictions, sandbox policies, and subagent policies, potentially permitting unauthorized execution of tools that the system is meant to restrict.

Affected Systems

The affected product is OpenClaw, all releases prior to 2026.4.20. No specific version list is provided beyond the release threshold, but any instance running an earlier build is susceptible.

Risk and Exploitability

The CVSS score is 2.3, reflecting a low severity vulnerability. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires local agent access, so the attack vector is likely limited to environments where attackers can gain such foothold. Given the scope is confined to local manipulation of tool policies, the overall risk is relatively low, but it could undermine security controls that rely on tool restriction enforcement.

Generated by OpenCVE AI on May 11, 2026 at 18:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.20 or later to remove the policy bypass flaw
  • If an upgrade is not immediately feasible, review and tighten local agent permissions to prevent attackers from gaining the necessary access
  • Implement an additional monitoring layer to detect unexpected additions to the tool list, aligning with CWE‑863 mitigation practices such as validating property values against an allowed set

Generated by OpenCVE AI on May 11, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions. Attackers with local agent access can append restricted tools to the effective tool set after policy filtering, bypassing profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies.
Title OpenClaw < 2026.4.20 - Tool Policy Bypass via Bundled MCP/LSP Tools
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T18:29:13.776Z

Reserved: 2026-05-08T16:41:39.934Z

Link: CVE-2026-44998

cve-icon Vulnrichment

Updated: 2026-05-11T18:29:09.012Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-11T18:16:39.817

Modified: 2026-05-12T14:19:41.400

Link: CVE-2026-44998

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T18:45:25Z

Weaknesses