VDB
KO
HIGH 8.4

GHSA-6fvr-66p3-3qj4

OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority

Details

### Summary

OpenClaw hook ingress can start automated agent runs using a configured hook token. In affected releases, a hook-triggered run could select a bundled CLI backend that received owner-scoped MCP loopback authority instead of a scope appropriate for hook ingress.

This issue affects the boundary between hook-token automation and owner-only MCP tools. It does not affect deployments with hooks disabled.

### Affected configurations

This affects deployments where hooks are enabled, `/hooks/agent` is reachable with a valid hook token, and a bundled CLI backend can be selected for the hook-triggered run.

### Impact

A caller with the hook token could cause the spawned CLI runtime to see or call MCP tools that should have been owner-only. The practical impact depends on which MCP tools are available; the reported proof used persistent cron state as a representative owner-only action.

### Patched Versions

The first stable patched version is `2026.5.20`.

Fixed in the `2026.5.20` stable release.

### Mitigations

Upgrade to `openclaw@2026.5.20` or later. Keep hook tokens secret, restrict network access to hook endpoints, and disable hooks when they are not needed.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / openclaw
Introduced in: 0 Fixed in: 2026.5.20
Fix npm install openclaw@2026.5.20

References