CVE-2026-62219
Received Received - Intake

Authorization Bypass in OpenClaw via Blank Agent IDs

Vulnerability report for CVE-2026-62219, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

OpenClaw 2026.2.12 before 2026.5.26 contain an authorization bypass vulnerability in the hooks allowedAgentIds validation. A lower-trust caller or configured input path can bypass agent ID restrictions by submitting blank agent IDs, allowing actions that should require stronger authorization or policy checks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
openclaw openclaw to 2026.5.26 (exc)
openclaw openclaw From 2026.2.12 (inc) to 2026.5.26 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-62219 is an authorization bypass vulnerability in OpenClaw versions 2026.2.12 through 2026.5.26. It allows lower-trust callers or input paths to bypass agent ID restrictions by submitting blank agent IDs. This lets unauthorized users perform actions that should require stronger authorization checks.

Detection Guidance

To detect this vulnerability, check OpenClaw versions between 2026.2.12 and 2026.5.26. Verify if blank agent IDs are accepted in hooks allowedAgentIds validation. Review logs for unauthorized actions performed with blank agent IDs.

Impact Analysis

The impact depends on your OpenClaw configuration. If lower-trust input can reach the affected path, unauthorized actions may be performed. This could lead to data modification or other integrity risks, especially if the system relies on agent ID restrictions for security.

Compliance Impact

This vulnerability could potentially impact compliance with standards like GDPR and HIPAA by allowing unauthorized actions through authorization bypass. If lower-trust callers can perform actions requiring stronger authorization, it may lead to unauthorized data access or modification, violating integrity and confidentiality requirements in these regulations.

Mitigation Strategies

Upgrade OpenClaw to version 2026.5.26 or later. If upgrading is not immediately possible, restrict the affected feature to trusted operators only. Monitor for unauthorized actions and review access logs for suspicious activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62219. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart