GHSA-6fvr-66p3-3qj4
OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority
상세
### Summary
OpenClaw hook ingress can start automated agent runs using a configured hook token. In affected releases, a hook-triggered run could select a bundled CLI backend that received owner-scoped MCP loopback authority instead of a scope appropriate for hook ingress.
This issue affects the boundary between hook-token automation and owner-only MCP tools. It does not affect deployments with hooks disabled.
### Affected configurations
This affects deployments where hooks are enabled, `/hooks/agent` is reachable with a valid hook token, and a bundled CLI backend can be selected for the hook-triggered run.
### Impact
A caller with the hook token could cause the spawned CLI runtime to see or call MCP tools that should have been owner-only. The practical impact depends on which MCP tools are available; the reported proof used persistent cron state as a representative owner-only action.
### Patched Versions
The first stable patched version is `2026.5.20`.
Fixed in the `2026.5.20` stable release.
### Mitigations
Upgrade to `openclaw@2026.5.20` or later. Keep hook tokens secret, restrict network access to hook endpoints, and disable hooks when they are not needed.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/openclaw/openclaw/security/advisories/GHSA-6fvr-66p3-3qj4 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-53814 [ADVISORY]
- https://github.com/openclaw/openclaw [PACKAGE]
- https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-hook-triggered-cli-mcp-tool-authority [WEB]