Description
OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a valid hook token can exploit the /hooks/agent endpoint to cause spawned CLI runtimes to access or invoke owner-only MCP tools, potentially executing privileged actions like persistent cron state modifications.
Published: 2026-06-11
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw before version 2026.5.20 contains a privilege‑escalation flaw where a hook‑triggered agent receives owner‑scoped MCP loopback authority instead of the intended hook scope. This weakness, classified as CWE‑266, allows an attacker who possesses a valid hook token to manipulate the "/hooks/agent" endpoint so that spawned command‑line runtimes gain access to MCP tools that should be limited to the owner. The attacker could then execute privileged actions, such as modifying persistent cron state or other owner‑only operations, thereby compromising the integrity and confidentiality of the system.

Affected Systems

The affected product is OpenClaw from OpenClaw, Inc. Versions earlier than 2026.5.20 are vulnerable; only releases 2026.5.20 or newer provide the fix.

Risk and Exploitability

The CVSS score of 8.7 indicates a high‑severity vulnerability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires a valid hook token and access to the "/hooks/agent" API. If an attacker can intercept or generate such a token, they can activate the flaw to elevate privileges. The vulnerability is exploitable in the absence of defensive controls such as strict token validation or scope restrictions.

Generated by OpenCVE AI on June 11, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.5.20 or later to obtain the vendor fix.
  • Revoke or rotate all existing hook tokens and enforce strict token‑scoping policies to ensure hooks cannot gain owner authority.
  • Temporarily disable or restrict owner‑only MCP tools for CLI runtimes or reconfigure the system so that spawned CLI processes are constrained to hook‑appropriate scopes.

Generated by OpenCVE AI on June 11, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a valid hook token can exploit the /hooks/agent endpoint to cause spawned CLI runtimes to access or invoke owner-only MCP tools, potentially executing privileged actions like persistent cron state modifications.
Title OpenClaw < 2026.5.20 - Privilege Escalation via Hook-Triggered CLI MCP Tool Authority
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-266
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-11T20:08:31.474Z

Reserved: 2026-06-10T21:14:38.834Z

Link: CVE-2026-53814

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T21:16:23.570

Modified: 2026-06-11T21:16:23.570

Link: CVE-2026-53814

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T23:00:09Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment