CVE-2026-53818
MediumCVSS 6.6Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
OpenClaw before version 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies. Attackers can invoke owner-only behavior through the affected loopback path.
Risk Assessment
This vulnerability may lead to unauthorized access to tools that should be restricted to owners, posing a serious security threat to the system.
Recommendation
It is recommended to update OpenClaw to version 2026.4.24 or later to mitigate this vulnerability and review access policies for tools.
Original NVD description (English source)
OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies and before-tool-call hooks. Attackers can invoke owner-only behavior through the affected loopback path to execute restricted tools when the feature is enabled and reachable.

