DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-QRP5-GFW2-GXV4: GHSA-QRP5-GFW2-GXV4: Security Policy Bypass in OpenClaw via Bundled MCP/LSP Tools

#security #cve #cybersecurity #ghsa

GHSA-QRP5-GFW2-GXV4: Security Policy Bypass in OpenClaw via Bundled MCP/LSP Tools

Vulnerability ID: GHSA-QRP5-GFW2-GXV4
CVSS Score: Not Assigned
Published: 2026-04-25

A logic flaw in the OpenClaw agent platform's tool orchestration pipeline allowed bundled Model Context Protocol (MCP) and Language Server Protocol (LSP) tools to bypass all configured security policies. The vulnerability stems from a merge-after-filter implementation defect, resulting in unauthorized tool execution.

TL;DR

OpenClaw failed to apply security policies to bundled MCP/LSP tools, allowing attackers to bypass allowlists and execute restricted operations. The patch introduces strict server-side validation and enforces the policy pipeline on all tool types.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-863, CWE-285
  • Attack Vector: Network / API
  • Impact: Authorization Bypass / Unauthorized Tool Execution
  • Exploit Status: poc
  • Authentication Required: None (Requires session initiation capability)

Affected Systems

  • OpenClaw Agent Platform
  • OpenClaw Embedded Runner
  • OpenClaw MCP Runtime Module
  • OpenClaw LSP Runtime Module
  • OpenClaw: < commit 0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada (Fixed in: 0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada)

Code Analysis

Commit: 0e7a992

Fix: Subject all MCP and LSP bundled tools to final effective tool policy and harden gateway identity signals.

Mitigation Strategies

  • Upgrade OpenClaw to the patched release containing the April 17, 2026 commit.
  • Disable non-essential MCP and LSP runtimes in restricted agent environments.
  • Implement application-level filtering to inspect and reject message.action payloads invoking restricted tools.

Remediation Steps:

  1. Identify all OpenClaw instances running versions prior to the April 17, 2026 patch.
  2. Review agent configurations to audit the utilization of bundled MCP and LSP runtimes.
  3. Deploy the updated OpenClaw binary containing commit 0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada.
  4. Configure SIEM logic to monitor OpenClaw logs for spoofing warning messages.

References

Read the full report for GHSA-QRP5-GFW2-GXV4 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)