CVE-2026-44998
Received Received - Intake
OpenClaw Tool Policy Bypass Vulnerability

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: VulnCheck

Description
OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions. Attackers with local agent access can append restricted tools to the effective tool set after policy filtering, bypassing profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-19
NVD
CVE-2026-44998
EUVD
EUVD-2026-29143
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.4.20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in OpenClaw allows bundled MCP and LSP tools to bypass configured tool restrictions, including owner-only restrictions and sandbox policies. This could potentially lead to unauthorized access to sensitive tools by attackers with local agent access.

Such unauthorized access could undermine the enforcement of security policies designed to protect sensitive data and system integrity, which are critical for compliance with standards like GDPR and HIPAA that require strict access controls and data protection measures.

However, the vulnerability is a local policy-enforcement bypass and does not represent a remote compromise. The severity is rated as moderate, and the issue was fixed in version 2026.4.20 by ensuring bundled tools are subject to the same policy checks as core tools.

Therefore, if left unpatched, this vulnerability could increase the risk of non-compliance with regulations that mandate strict access control and auditability, by allowing unauthorized tool execution that might lead to data exposure or policy violations.

Executive Summary

CVE-2026-44998 is a vulnerability in OpenClaw versions before 2026.4.20 where bundled MCP (Model Context Protocol) and LSP (Language Server Protocol) tools can bypass configured tool restrictions. Attackers with local agent access can append restricted tools to the effective tool set after policy filtering, effectively circumventing profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies.

This happens because bundled tools were not properly filtered through the final tool policy pipeline, allowing them to bypass security controls that normally restrict tool usage. The vulnerability is a local policy-enforcement bypass, not a remote compromise.

Impact Analysis

This vulnerability can allow an attacker with local access to the OpenClaw agent to execute restricted tools that should have been blocked by security policies. This means unauthorized tools can be run despite configured restrictions such as owner-only access, sandboxing, and allow/deny lists.

As a result, it can lead to unauthorized access to sensitive tools and potentially sensitive data or operations that those tools control, increasing the risk of privilege escalation or misuse of the system.

Detection Guidance

Detection of this vulnerability involves verifying whether bundled MCP and LSP tools are bypassing configured tool restrictions in OpenClaw versions before 2026.4.20.

Since the vulnerability requires local agent access and involves policy bypass after filtering, detection can focus on checking the effective tool set for the presence of restricted bundled tools that should have been blocked by policies.

Specific commands are not provided in the available resources, but general approaches include:

  • Listing the active tools and their policies on the OpenClaw agent to identify if restricted bundled MCP or LSP tools are present.
  • Reviewing logs for warnings or unusual tool executions that bypass policy restrictions.
  • Using OpenClaw's diagnostic or debugging commands to inspect the tool policy filtering pipeline and effective tool sets.

Because no explicit detection commands are documented in the provided resources, users should consult OpenClaw documentation or support for specific commands to audit tool policies and effective tool sets.

Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.4.20 or later, where the vulnerability has been fixed.

The fix ensures that bundled MCP and LSP tools are properly filtered through the final tool policy pipeline, enforcing all configured restrictions including allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies.

Until the upgrade can be applied, restrict local agent access to trusted users only, as the vulnerability requires local agent access to exploit.

Review and tighten tool policies and access controls to minimize the risk of unauthorized tool execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44998. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart