Read through this writeup on four new OpenClaw CVEs and a couple of them made me stop scrolling.
The TOCTOU ones are straightforward but satisfying. The sandbox validates a file path, confirms it's inside the allowed root, then opens it. Two operations. Symlink swap in between. You get read or write access to anything on the host. It's 2026 and we're still shipping check-then-use on filesystem paths.
But the one that got me was the MCP privilege escalation. When a child process connects back to the OpenClaw server over loopback, the server decides if that process has owner privileges by looking at an HTTP header. That header's value comes from an environment variable. Env vars are inherited by child processes. So literally any code running inside the agent can set OPENCLAW_MCP_SENDER_IS_OWNER=true and the server just... believes it. No validation against the bearer token, nothing.
There's also an env var leak through heredoc expansion bypassing the exec allowlist, which is a nice trick.
All four chain together from a single sandbox foothold into full runtime control. Patched already.
Top comments (0)