GHSA-rj6p-xmxr-qj4h: OpenClaw: MCP loopback could skip owner-only tool policy for non-owner callers
A vulnerability in OpenClaw's MCP loopback allows non-owner callers to bypass owner-only tool policies and before-tool-call hooks. This issue affects versions prior to 2026.4.24. The vulnerability does not alter the trusted-operator model but could enable unauthorized invocation of owner-only behaviors if the affected feature is enabled and accessible. The practical impact depends on the specific operator configuration and exposure to lower-trust inputs. Mitigations include restricting MCP loopback access to trusted operators and disabling the feature if not needed. A patched version is expected but not explicitly listed in the advisory.
AI Analysis
Technical Summary
The MCP loopback feature in OpenClaw versions before 2026.4.24 contains a vulnerability where non-owner callers can bypass owner-only tool policies and before-tool-call hooks by reaching a specific loopback path. This bypass does not affect the overall trusted-operator model but may allow unauthorized execution of owner-only behaviors depending on configuration and exposure. The vulnerability is classified under CWE-862 (Missing Authorization). No known exploits are reported in the wild. The CVSS 4.0 vector indicates a moderate severity with local attack vector, low complexity, and limited privileges required.
Potential Impact
If the affected feature is enabled and reachable, non-owner callers could invoke owner-only tool behaviors, potentially leading to unauthorized actions within OpenClaw. The extent of impact depends on the operator's configuration and whether untrusted inputs can access the vulnerable loopback path. This could undermine intended access controls for owner-only tools.
Mitigation Recommendations
Restrict MCP loopback access to trusted operators until a patched version is applied. Keep channel and tool allowlists narrow, avoid sharing a Gateway between mutually untrusted users, and disable the affected feature when it is not needed. Update to a patched OpenClaw release once available (versions 2026.4.24 or later). Patch status is not yet confirmed—check the vendor advisory for current remediation guidance.
GHSA-rj6p-xmxr-qj4h: OpenClaw: MCP loopback could skip owner-only tool policy for non-owner callers
Description
A vulnerability in OpenClaw's MCP loopback allows non-owner callers to bypass owner-only tool policies and before-tool-call hooks. This issue affects versions prior to 2026.4.24. The vulnerability does not alter the trusted-operator model but could enable unauthorized invocation of owner-only behaviors if the affected feature is enabled and accessible. The practical impact depends on the specific operator configuration and exposure to lower-trust inputs. Mitigations include restricting MCP loopback access to trusted operators and disabling the feature if not needed. A patched version is expected but not explicitly listed in the advisory.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The MCP loopback feature in OpenClaw versions before 2026.4.24 contains a vulnerability where non-owner callers can bypass owner-only tool policies and before-tool-call hooks by reaching a specific loopback path. This bypass does not affect the overall trusted-operator model but may allow unauthorized execution of owner-only behaviors depending on configuration and exposure. The vulnerability is classified under CWE-862 (Missing Authorization). No known exploits are reported in the wild. The CVSS 4.0 vector indicates a moderate severity with local attack vector, low complexity, and limited privileges required.
Potential Impact
If the affected feature is enabled and reachable, non-owner callers could invoke owner-only tool behaviors, potentially leading to unauthorized actions within OpenClaw. The extent of impact depends on the operator's configuration and whether untrusted inputs can access the vulnerable loopback path. This could undermine intended access controls for owner-only tools.
Mitigation Recommendations
Restrict MCP loopback access to trusted operators until a patched version is applied. Keep channel and tool allowlists narrow, avoid sharing a Gateway between mutually untrusted users, and disable the affected feature when it is not needed. Update to a patched OpenClaw release once available (versions 2026.4.24 or later). Patch status is not yet confirmed—check the vendor advisory for current remediation guidance.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-rj6p-xmxr-qj4h
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-53818"]
- Ecosystems
- ["npm"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 4.0
Threat ID: 6a46ecc627e9c7971943d96b
Added to database: 07/02/2026, 22:57:10 UTC
Last enriched: 07/02/2026, 23:18:59 UTC
Last updated: 07/02/2026, 23:18:59 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.