CVE-2026-44998
OpenClaw Tool Policy Bypass Vulnerability
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.20 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44998 is a vulnerability in OpenClaw versions before 2026.4.20 where bundled MCP (Model Context Protocol) and LSP (Language Server Protocol) tools can bypass configured tool restrictions. Attackers with local agent access can append restricted tools to the effective tool set after policy filtering, effectively circumventing profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies.
This happens because bundled tools were not properly filtered through the final tool policy pipeline, allowing them to bypass security controls that normally restrict tool usage. The vulnerability is a local policy-enforcement bypass, not a remote compromise.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with local access to the OpenClaw agent to execute restricted tools that should have been blocked by security policies. This means unauthorized tools can be run despite configured restrictions such as owner-only access, sandboxing, and allow/deny lists.
As a result, it can lead to unauthorized access to sensitive tools and potentially sensitive data or operations that those tools control, increasing the risk of privilege escalation or misuse of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying whether bundled MCP and LSP tools are bypassing configured tool restrictions in OpenClaw versions before 2026.4.20.
Since the vulnerability requires local agent access and involves policy bypass after filtering, detection can focus on checking the effective tool set for the presence of restricted bundled tools that should have been blocked by policies.
Specific commands are not provided in the available resources, but general approaches include:
- Listing the active tools and their policies on the OpenClaw agent to identify if restricted bundled MCP or LSP tools are present.
- Reviewing logs for warnings or unusual tool executions that bypass policy restrictions.
- Using OpenClaw's diagnostic or debugging commands to inspect the tool policy filtering pipeline and effective tool sets.
Because no explicit detection commands are documented in the provided resources, users should consult OpenClaw documentation or support for specific commands to audit tool policies and effective tool sets.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.4.20 or later, where the vulnerability has been fixed.
The fix ensures that bundled MCP and LSP tools are properly filtered through the final tool policy pipeline, enforcing all configured restrictions including allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies.
Until the upgrade can be applied, restrict local agent access to trusted users only, as the vulnerability requires local agent access to exploit.
Review and tighten tool policies and access controls to minimize the risk of unauthorized tool execution.