VDB
EN
HIGH 8.4

GHSA-6fvr-66p3-3qj4

OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority

상세

### Summary

OpenClaw hook ingress can start automated agent runs using a configured hook token. In affected releases, a hook-triggered run could select a bundled CLI backend that received owner-scoped MCP loopback authority instead of a scope appropriate for hook ingress.

This issue affects the boundary between hook-token automation and owner-only MCP tools. It does not affect deployments with hooks disabled.

### Affected configurations

This affects deployments where hooks are enabled, `/hooks/agent` is reachable with a valid hook token, and a bundled CLI backend can be selected for the hook-triggered run.

### Impact

A caller with the hook token could cause the spawned CLI runtime to see or call MCP tools that should have been owner-only. The practical impact depends on which MCP tools are available; the reported proof used persistent cron state as a representative owner-only action.

### Patched Versions

The first stable patched version is `2026.5.20`.

Fixed in the `2026.5.20` stable release.

### Mitigations

Upgrade to `openclaw@2026.5.20` or later. Keep hook tokens secret, restrict network access to hook endpoints, and disable hooks when they are not needed.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / openclaw
최초 영향 버전: 0 수정 버전: 2026.5.20
수정 npm install openclaw@2026.5.20

참고