PT-2026-39687 · Openclaw · Openclaw

·

CVE-2026-44998

·

Published

2026-04-25

·

Updated

2026-05-11

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.20
Description A tool policy bypass allows bundled MCP (Model Context Protocol) and LSP (Language Server Protocol) tools to circumvent configured tool restrictions. Attackers with local agent access can append restricted tools to the effective tool set after policy filtering, which bypasses profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies.
Recommendations Update to version 2026.4.20.

Exploit

Fix

Missing Authorization

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44998
GHSA-QRP5-GFW2-GXV4

Affected Products

Openclaw