Impact
OpenClaw before version 2026.5.6 contains a flaw that allows skill commands sent through the affected dispatch path to skip the before-tool-call hook, removing audit and policy enforcement for those commands. This weakness corresponds to CWE-693. The result is that attackers can perform privileged actions without triggering standard logging or restrictions.
Affected Systems
The vulnerability affects the OpenClaw product supplied by OpenClaw, specifically any installations using a version older than 2026.5.6. No additional sub‑release information is provided in the advisory.
Risk and Exploitability
The CVSS score of 2.3 indicates a low severity issue, and the EPSS score of less than 1% shows an extremely low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. The assault vector is inferred to be remote, involving the remote transmission of skill commands via the vulnerable dispatch route, as the description mentions attackers sending skill commands through the affected path but does not detail the exact channel. Overall, the risk to confidentiality, integrity, or availability is minimal, although organizations with stringent auditing requirements may still need to address the bypass.
OpenCVE Enrichment
Github GHSA