Description
OpenClaw before 2026.5.6 contains a hook bypass vulnerability where skill commands routed through the affected dispatch path skip before-tool-call hook coverage. Attackers can exploit this by sending skill commands through the vulnerable dispatch path to bypass hook-based auditing and policy enforcement mechanisms.
Published: 2026-06-16
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw before version 2026.5.6 contains a flaw that allows skill commands sent through the affected dispatch path to skip the before-tool-call hook, removing audit and policy enforcement for those commands. This weakness corresponds to CWE-693. The result is that attackers can perform privileged actions without triggering standard logging or restrictions.

Affected Systems

The vulnerability affects the OpenClaw product supplied by OpenClaw, specifically any installations using a version older than 2026.5.6. No additional sub‑release information is provided in the advisory.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity issue, and the EPSS score of less than 1% shows an extremely low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. The assault vector is inferred to be remote, involving the remote transmission of skill commands via the vulnerable dispatch route, as the description mentions attackers sending skill commands through the affected path but does not detail the exact channel. Overall, the risk to confidentiality, integrity, or availability is minimal, although organizations with stringent auditing requirements may still need to address the bypass.

Generated by OpenCVE AI on June 17, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest OpenClaw release (2026.5.6 or newer) to eliminate the hook bypass.
  • If upgrading immediately is not possible, restrict skill command inputs to trusted sources and disable or segregate the vulnerable dispatch path until a patch is applied.
  • Review audit logs for unauthorized skill command activity that may have bypassed the hook and investigate any anomalies.

Generated by OpenCVE AI on June 17, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-68xw-r643-9p5w OpenClaw: Skill-command dispatch could skip before-tool-call hooks
History

Tue, 16 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.5.6 contains a hook bypass vulnerability where skill commands routed through the affected dispatch path skip before-tool-call hook coverage. Attackers can exploit this by sending skill commands through the vulnerable dispatch path to bypass hook-based auditing and policy enforcement mechanisms.
Title OpenClaw < 2026.5.6 - Skill-Command Dispatch Hook Bypass via Before-Tool-Call Hook Skipping
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-693
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-16T18:55:41.789Z

Reserved: 2026-06-10T21:19:32.652Z

Link: CVE-2026-53845

cve-icon Vulnrichment

Updated: 2026-06-16T18:51:10.146Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T19:17:01.520

Modified: 2026-06-16T20:42:46.200

Link: CVE-2026-53845

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T22:30:13Z

Weaknesses
  • CWE-693

    Protection Mechanism Failure