CVE-2026-62221
Received Received - Intake

Incorrect Authorization in OpenClaw 2026.5.12 AllowFrom Feature

Vulnerability report for CVE-2026-62221, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

OpenClaw 2026.5.12 before 2026.5.26 contain an incorrect authorization vulnerability in the ClickClack allowFrom feature. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could execute or persist actions beyond the caller's intended authorization, including running non-allowlisted commands.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
openclaw openclaw to 2026.5.26 (exc)
openclaw openclaw From 2026.5.12 (inc) to 2026.5.26 (exc)
openclaw openclaw From 2026.5.12 (inc) to 2026.5.25 (inc)
openclaw openclaw 2026.5.26

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

OpenClaw versions 2026.5.12 to 2026.5.25 have an authorization bypass in the ClickClack allowFrom feature. This allows lower-trust callers or input paths to execute or save actions beyond their intended permissions, including running unauthorized commands.

Detection Guidance

To detect this vulnerability, check if your OpenClaw version is between 2026.5.12 and 2026.5.25. Run 'npm list openclaw' to verify the installed version. Inspect configurations for the ClickClack allowFrom feature to ensure it is restricted to trusted operators or disabled if unnecessary.

Impact Analysis

The impact depends on how the feature is configured. If lower-trust input can reach the affected path, attackers might execute unauthorized commands or persist malicious actions. Upgrading to version 2026.5.26 or later mitigates this risk.

Compliance Impact

This vulnerability could potentially impact compliance with standards like GDPR and HIPAA by allowing unauthorized execution of commands through incorrect authorization checks. If lower-trust input can reach the affected feature, it may lead to unauthorized data access or modifications, violating confidentiality and integrity requirements.

Mitigation Strategies

Upgrade OpenClaw to version 2026.5.26 or later. Alternatively, restrict the ClickClack allowFrom feature to trusted operators only or disable it if not required. Ensure no lower-trust input paths can reach the affected feature.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62221. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart