Medium severity5.4NVD Advisory· Published May 11, 2026· Updated May 13, 2026
CVE-2026-44998
CVE-2026-44998
Description
OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions. Attackers with local agent access can append restricted tools to the effective tool set after policy filtering, bypassing profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3Patches
Vulnerability mechanics
References
3- github.com/openclaw/openclaw/commit/0e7a992d3f3155199c1acc2dd9a53c5b3a4d3adanvdPatch
- github.com/openclaw/openclaw/security/advisories/GHSA-qrp5-gfw2-gxv4nvdThird Party Advisory
- www.vulncheck.com/advisories/openclaw-tool-policy-bypass-via-bundled-mcp-lsp-toolsnvdThird Party AdvisoryPatch
News mentions
0No linked articles in our index yet.