GHSA-6fvr-66p3-3qj4: OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority
OpenClaw versions prior to 2026.5.20 have a vulnerability where hook-triggered CLI runs can inherit owner-scoped MCP tool authority instead of a restricted scope. This occurs when hooks are enabled and a valid hook token is used to trigger automated agent runs that select a bundled CLI backend. The vulnerability allows an attacker with a hook token to access or invoke MCP tools intended only for owner use. The issue is fixed in version 2026.5.20. Mitigations include upgrading to 2026.5.20 or later, keeping hook tokens secret, restricting network access to hook endpoints, and disabling hooks if not needed.
AI Analysis
Technical Summary
OpenClaw's hook ingress mechanism allows automated agent runs via a configured hook token. In affected versions, a hook-triggered run could select a bundled CLI backend that mistakenly receives owner-scoped MCP loopback authority rather than a scope appropriate for hook ingress. This flaw affects deployments with hooks enabled and accessible at /hooks/agent with a valid hook token. The vulnerability enables callers with the hook token to execute CLI runtimes with elevated owner-only MCP tool privileges, potentially exposing sensitive owner-only actions such as persistent cron state manipulation. The vulnerability is resolved in OpenClaw stable release 2026.5.20.
Potential Impact
An attacker possessing a valid hook token can trigger CLI runs with owner-level MCP tool authority, allowing access to or execution of owner-only management functions. The practical impact depends on the specific MCP tools available in the deployment, but it can lead to unauthorized access or control over sensitive owner-only operations.
Mitigation Recommendations
Upgrade OpenClaw to version 2026.5.20 or later, where this vulnerability is fixed. Additionally, keep hook tokens confidential, restrict network access to hook endpoints to trusted sources only, and disable hooks if they are not required in the deployment environment.
GHSA-6fvr-66p3-3qj4: OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority
Description
OpenClaw versions prior to 2026.5.20 have a vulnerability where hook-triggered CLI runs can inherit owner-scoped MCP tool authority instead of a restricted scope. This occurs when hooks are enabled and a valid hook token is used to trigger automated agent runs that select a bundled CLI backend. The vulnerability allows an attacker with a hook token to access or invoke MCP tools intended only for owner use. The issue is fixed in version 2026.5.20. Mitigations include upgrading to 2026.5.20 or later, keeping hook tokens secret, restricting network access to hook endpoints, and disabling hooks if not needed.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenClaw's hook ingress mechanism allows automated agent runs via a configured hook token. In affected versions, a hook-triggered run could select a bundled CLI backend that mistakenly receives owner-scoped MCP loopback authority rather than a scope appropriate for hook ingress. This flaw affects deployments with hooks enabled and accessible at /hooks/agent with a valid hook token. The vulnerability enables callers with the hook token to execute CLI runtimes with elevated owner-only MCP tool privileges, potentially exposing sensitive owner-only actions such as persistent cron state manipulation. The vulnerability is resolved in OpenClaw stable release 2026.5.20.
Potential Impact
An attacker possessing a valid hook token can trigger CLI runs with owner-level MCP tool authority, allowing access to or execution of owner-only management functions. The practical impact depends on the specific MCP tools available in the deployment, but it can lead to unauthorized access or control over sensitive owner-only operations.
Mitigation Recommendations
Upgrade OpenClaw to version 2026.5.20 or later, where this vulnerability is fixed. Additionally, keep hook tokens confidential, restrict network access to hook endpoints to trusted sources only, and disable hooks if they are not required in the deployment environment.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-6fvr-66p3-3qj4
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-53814"]
- Ecosystems
- ["npm"]
- Database Specific Severity
- HIGH
- Cvss Version
- 4.0
Threat ID: 6a46ecd227e9c7971943f324
Added to database: 07/02/2026, 22:57:22 UTC
Last enriched: 07/02/2026, 23:21:27 UTC
Last updated: 07/02/2026, 23:21:27 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.