VYPR
← All advisories
High severity8.3NVD Advisory· Published Jun 11, 2026

CVE-2026-53814

CVE-2026-53814

Description

OpenClaw before 2026.5.20 allows hook-triggered agent runs to inherit owner-scoped MCP loopback authority, enabling privilege escalation via the /hooks/agent endpoint.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenClaw before 2026.5.20 allows hook-triggered agent runs to inherit owner-scoped MCP loopback authority, enabling privilege escalation via the /hooks/agent endpoint.

Vulnerability

OpenClaw versions prior to the 2026.5.20 stable release contain a privilege escalation vulnerability (CWE-266) where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of a scope appropriate for hook ingress. The issue affects deployments where hooks are enabled, the /hooks/agent endpoint is reachable with a valid hook token, and a bundled CLI backend can be selected for the hook-triggered run. It does not affect deployments with hooks disabled [1][2].

Exploitation

An attacker who possesses a valid hook token can exploit the /hooks/agent endpoint to cause spawned CLI runtimes to access or invoke owner-only MCP tools. No additional authentication or user interaction is required beyond having a hook token. The attacker sends a crafted request to the endpoint, triggering a hook run that selects a bundled CLI backend, which then inherits the elevated MCP authority [1][2].

Impact

A successful exploit allows the attacker to see or call MCP tools that should have been restricted to the owner. The practical impact depends on which MCP tools are available; a reported proof of concept used persistent cron state modifications as a representative owner-only action. This could lead to persistent changes, including privilege escalation or system compromise [1][2].

Mitigation

The first stable patched version is 2026.5.20. Users should upgrade to OpenClaw 2026.5.20 or later. Mitigations include keeping hook tokens secret, restricting network access to hook endpoints, and disabling hooks when they are not needed. No workaround other than upgrading or disabling hooks is available [1][2].

References
  1. Hook-triggered CLI runs could receive owner MCP tool authority
  2. OpenClaw < 2026.5.20 - Privilege Escalation via Hook-Triggered CLI MCP Tool Authority

AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • OpenClaw/Openclawinferred2 versions
    <2026.5.20+ 1 more
    • (no CPE)range: <2026.5.20
    • (no CPE)range: <2026.5.20

Patches

1
e510042870cf

fix(qa): accept Telegram no-reply timeout details

https://github.com/OpenClaw/OpenClawPeter SteinbergerMay 21, 2026Fixed in 2026.5.20via release-tag
commit
2 files changed · +25 5
  • extensions/qa-lab/src/live-transports/telegram/telegram-live.runtime.test.ts+17 0 modified
    @@ -333,6 +333,23 @@ describe("telegram live qa runtime", () => {
     );
   });
 
+  it("recognizes Telegram observation timeouts with retry details", () => {
+    expect(
+      testing.isTelegramObservedMessageTimeoutError(
+        new Error(
+          "timed out after 8000ms waiting for Telegram message; last polling error: The operation was aborted due to timeout",
+        ),
+        8000,
+      ),
+    ).toBe(true);
+    expect(
+      testing.isTelegramObservedMessageTimeoutError(
+        new Error("timed out after 9000ms waiting for Telegram message"),
+        8000,
+      ),
+    ).toBe(false);
+  });
+
   it("includes mention gating in the Telegram live scenario catalog", () => {
     const scenarios = testing.findScenario([
       "telegram-help-command",
  • extensions/qa-lab/src/live-transports/telegram/telegram-live.runtime.ts+8 5 modified
    @@ -1283,6 +1283,12 @@ function assertTelegramScenarioReply(params: {
   }
 }
 
+function isTelegramObservedMessageTimeoutError(error: unknown, timeoutMs: number) {
+  return formatErrorMessage(error).startsWith(
+    `timed out after ${timeoutMs}ms waiting for Telegram message`,
+  );
+}
+
 function resolveTelegramQaScenarioSteps(run: TelegramQaScenarioRun): TelegramQaScenarioStep[] {
   if (run.steps.length === 0) {
     throw new Error("Telegram QA scenario must include at least one step");
@@ -1341,11 +1347,7 @@ async function runTelegramQaScenarioStep(params: {
       sentMessageId: sent.message_id,
     };
   } catch (error) {
-    if (
-      !params.step.expectReply &&
-      formatErrorMessage(error) ===
-        `timed out after ${stepTimeoutMs}ms waiting for Telegram message`
-    ) {
+    if (!params.step.expectReply && isTelegramObservedMessageTimeoutError(error, stepTimeoutMs)) {
       return {
         matched: undefined,
         requestStartedAt: new Date(requestStartedAtMs).toISOString(),
@@ -2041,6 +2043,7 @@ export const testing = {
   assertTelegramScenarioReply,
   classifyCanaryReply,
   findScenario,
+  isTelegramObservedMessageTimeoutError,
   listTelegramQaScenarioCatalog,
   matchesTelegramScenarioReply,
   normalizeTelegramObservedMessage,

Vulnerability mechanics

Root cause

"Hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope."

Attack vector

An attacker with a valid hook token sends a crafted request to the `/hooks/agent` endpoint. The hook-triggered agent run incorrectly receives owner-scoped MCP loopback authority instead of the hook-appropriate scope. This allows the spawned CLI runtime to access or invoke owner-only MCP tools, potentially executing privileged actions such as persistent cron state modifications. The attack is network-accessible, requires low privileges (a valid hook token), and needs no user interaction.

Affected code

The patch touches only `extensions/qa-lab/src/live-transports/telegram/telegram-live.runtime.ts` and its test file. No files related to hook-triggered agent runs, MCP loopback authority, or privilege escalation are present in the diff. The advisory describes a vulnerability in the `/hooks/agent` endpoint, but the patch does not modify that code path.

What the fix does

The patch refactors a Telegram QA timeout check by extracting `isTelegramObservedMessageTimeoutError` into a reusable helper and exporting it for testing. It does not modify any hook-handling, MCP authority, or privilege-escalation logic. The advisory's described vulnerability remains unaddressed in this commit; the patch is unrelated to the CVE's root cause.

Preconditions

  • authAttacker must possess a valid hook token for the /hooks/agent endpoint.
  • networkThe OpenClaw instance must be reachable over the network.
  • inputThe attacker sends a crafted request to the /hooks/agent endpoint.

Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.