CVE Catalog

CVE-2026-53818

MediumCVSS 6.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.01%

2th percentile — higher than 2% of all known CVEs

Summary

OpenClaw before version 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies. Attackers can invoke owner-only behavior through the affected loopback path.

Risk Assessment

This vulnerability may lead to unauthorized access to tools that should be restricted to owners, posing a serious security threat to the system.

Recommendation

It is recommended to update OpenClaw to version 2026.4.24 or later to mitigate this vulnerability and review access policies for tools.

Original NVD description (English source)

OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies and before-tool-call hooks. Attackers can invoke owner-only behavior through the affected loopback path to execute restricted tools when the feature is enabled and reachable.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS