CVE-2026-53818
Description
Authorization bypass in OpenClaw MCP loopback allows non-owner callers to skip owner-only tool policies, potentially executing restricted tools.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authorization bypass in OpenClaw MCP loopback allows non-owner callers to skip owner-only tool policies, potentially executing restricted tools.
Vulnerability
OpenClaw before version 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature. Non-owner callers can skip owner-only tool policies and before-tool-call hooks by reaching the affected loopback path when the feature is enabled and reachable. [1][2]
Exploitation
An attacker with network access to the MCP loopback endpoint, without being the owner, can send crafted requests to invoke owner-only tools. The attack requires the feature to be enabled and reachable, but no special authentication beyond network access. [1][2]
Impact
Successful exploitation allows the attacker to invoke owner-only behavior through the loopback path, potentially executing restricted tools. The practical impact depends on the operator's configuration and whether lower-trust input can reach that path. [1][2]
Mitigation
Upgrade to OpenClaw version 2026.4.24 or later, which patches the vulnerability. As a workaround, restrict MCP loopback access to trusted operators, keep channel and tool allowlists narrow, and disable the feature if not needed. [1]
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1cbcfdf62c729chore(release): prepare 2026.4.24
2 files changed · +2 −2
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "openclaw", - "version": "2026.4.24-beta.6", + "version": "2026.4.24", "description": "Multi-channel AI gateway with extensible messaging integrations", "keywords": [], "homepage": "https://github.com/openclaw/openclaw#readme",
src/config/schema.base.generated.ts+1 −1 modified@@ -27959,6 +27959,6 @@ export const GENERATED_BASE_CONFIG_SCHEMA: BaseConfigSchemaResponse = { tags: ["advanced", "url-secret"], }, }, - version: "2026.4.24-beta.6", + version: "2026.4.24", generatedAt: "2026-03-22T21:17:33.302Z", };
Vulnerability mechanics
Root cause
"Missing authorization checks in the MCP loopback feature allow non-owner callers to bypass owner-only tool policies and before-tool-call hooks."
Attack vector
An attacker with local, low-privileged access can exploit the MCP loopback feature to bypass owner-only tool policies and before-tool-call hooks [patch_id=5643568]. When the loopback feature is enabled and reachable, the attacker invokes owner-only behavior through the affected loopback path, allowing execution of restricted tools that should require higher privileges. The advisory does not specify the exact network path or payload shape beyond identifying the MCP loopback mechanism as the attack vector.
Affected code
The patch only bumps the version string from `2026.4.24-beta.6` to `2026.4.24` in `package.json` and `src/config/schema.base.generated.ts`. No functional code changes are present, so the patch does not reveal which source files contain the MCP loopback authorization bypass vulnerability described in the advisory.
What the fix does
The patch only increments the version string from a beta release to the stable `2026.4.24` release; no source code changes are included in the diff. The advisory states that OpenClaw before 2026.4.24 contains the vulnerability, implying the fix was applied in a prior commit or is part of the release process itself. Without a functional diff, the specific remediation—such as adding authorization checks to the MCP loopback path—cannot be confirmed from this patch alone.
Preconditions
- configThe MCP loopback feature must be enabled and reachable by the attacker.
- authThe attacker must have local, low-privileged access to the system.
- inputThe attacker must be able to send requests through the loopback path that bypass owner-only policies.
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.