OpenClaw before 2026.5.12 contains an exec denylist bypass that permits authenticated callers to circumvent the intended command restrictions, enabling the spawning of sessions with wider command capabilities. This flaw is a classic example of improper authorization (CWE‑862) and allows attackers to execute commands beyond the intended scope. The vulnerability arises from the bundle MCP loopback session‑spawn path, which accepts commands that should be blocked by the application's denylist. The impact of this flaw is the potential for an authenticated attacker to run arbitrary commands with elevated privileges, leading to compromise of confidentiality, integrity, and availability of the affected system. Because the attacker must be authenticated, the risk is limited to accounts with compromised or privileged access, but any successful exploitation effectively lifts the command restrictions the application attempts to enforce. Risk and exploitability are moderate. The CVSS score of 6.9 indicates a high severity vulnerability, and the absence of an EPSS score and KEV listing suggests that widespread exploitation has not yet been observed. Successful exploitation requires access to the bundle MCP session‑spawn endpoint, so securing or restricting this path is critical to mitigating the threat.

OpenClaw OpenClaw, versions prior to 2026.5.12 are affected.

The CVSS score of 6.9 reflects a significant risk that, combined with the lack of current exploitation data, indicates a moderate to high threat level. Attackers need authenticated access to the bundle MCP loopback session‑spawn path; once obtained, they can bypass the exec denylist and run arbitrary commands. As the flaw is not listed in CISA KEV, no known active campaigns are reported currently.