Listen to this Post
How the mentioned CVE works (technical details):
The vulnerability exists in OpenClaw’s tool‑policy pipeline when bundled MCP (Model Context Protocol) and LSP (Language Server Protocol) tools are merged into the agent’s effective tool set. Normally, an operator can define restrictive policies – tool profiles, explicit allow/deny lists, owner‑only restrictions, sandbox tool policies, or subagent tool policies – that filter core tools early in the pipeline. However, before the fix, bundled MCP/LSP tools were appended after that filtering stage had already completed. This allowed a bundled tool to bypass the policy check entirely. The flaw requires that the operator has both (1) a configured bundled MCP or LSP tool source, and (2) a policy that would have denied that specific tool if it had been a core tool. The attack is local to the agent’s policy‑enforcement mechanism; it does not enable remote unauthenticated compromise. The bypass effectively makes restrictive policies less reliable because an administrator might assume that all tools, including bundled ones, are subject to the same rules. Exploitation does not require special privileges beyond controlling the bundled tool sources. The fix introduces a final effective tool‑policy pass that re‑evaluates each bundled MCP/LSP tool against all relevant policies (profile, provider profile, global/agent/group, owner‑only, sandbox, subagent) before merging them into the tool set used for normal runs and compaction. The patched version is 2026.4.20, commit 0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada.
dailycve form:
Platform: OpenClaw npm
Version: < 2026.4.20
Vulnerability: No CVE ID
Severity: Medium
Date: 2026-04-25
Prediction: Patched 2026-04-20
What Undercode Say:
Check currently installed openclaw version npm list openclaw Identify bundled MCP/LSP tools grep -r "mcpTool|lspTool" node_modules/openclaw/ Simulate policy bypass (pre‑patch) Assume restrictive allowlist only allows "core_tool_a" Bundled MCP tool "mcp_extra" would still appear in agent's toolset openclaw-agent --tool-policy allowlist=core_tool_a --bundled-mcp-enable After patching to 2026.4.20, the same command should reject "mcp_extra" npm install [email protected] openclaw-agent --tool-policy allowlist=core_tool_a --bundled-mcp-enable
Exploit:
No public exploit exists; bypass requires local control of bundled tool source. Attacker could craft a malicious MCP/LSP tool that is appended after policy filtering. If operator relies on a deny‑list that blocks all but approved tools, the malicious bundled tool remains accessible to the agent, allowing unintended actions (e.g., file read, command execution) depending on the tool’s capabilities.
Protection from this CVE:
Update to OpenClaw version 2026.4.20 or later. If unable to upgrade, avoid using bundled MCP/LSP tools together with restrictive policies. Alternatively, manually audit and remove any bundled tool sources that are not explicitly trusted. Use network or filesystem sandboxing to limit the impact of any bypassed tool.
Impact:
Local policy‑enforcement bypass (medium severity). An operator who configured a restrictive tool policy would mistakenly believe that bundled MCP/LSP tools are also filtered. This could lead to unintended tool access, potentially allowing data leakage or unauthorized actions within the agent’s context. Not a remote compromise – requires existing agent access and a misconfigured bundled tool source.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
