CVE-2026-44998

Description

OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions. Attackers with local agent access can append restricted tools to the effective tool set after policy filtering, bypassing profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

OpenClaw < 2026.4.20

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept for CVE-2026-44998
# This script demonstrates the logic flaw where restricted tools
# can be appended after the initial policy filtering.

def simulate_openclaw_tool_policy_bypass():
    # Initial set of tools provided by the agent
    bundled_tools = ['read_file', 'browse_web']
    
    # Configured policy restrictions (Deny List)
    restricted_tools = {'execute_command', 'delete_file'}
    
    # Step 1: Policy Filtering (Normal Flow)
    # System filters out restricted tools from the initial request
    effective_tool_set = [tool for tool in bundled_tools if tool not in restricted_tools]
    print(f"[DEBUG] Post-filter tools: {effective_tool_set}")
    
    # Step 2: The Vulnerability (Bypass Logic)
    # Attacker with local agent access appends restricted tools AFTER filtering
    # This simulates the flawed logic in OpenClaw before 2026.4.20
    malicious_payload = 'execute_command'
    
    # Vulnerable code path allows direct appending without re-checking policy
    effective_tool_set.append(malicious_payload)
    
    print(f"[DEBUG] Final tool set (Bypassed): {effective_tool_set}")
    
    # Step 3: Verification
    if 'execute_command' in effective_tool_set:
        print("[SUCCESS] Restricted tool 'execute_command' added successfully. Policy bypassed.")
    else:
        print("[FAIL] Policy enforced correctly.")

if __name__ == "__main__":
    simulate_openclaw_tool_policy_bypass()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44998
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44998
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44998/
[4] VulDB https://vuldb.com/cve/CVE-2026-44998
[5] https://github.com/openclaw/openclaw/commit/0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada
[6] https://github.com/openclaw/openclaw/security/advisories/GHSA-qrp5-gfw2-gxv4
[7] https://www.vulncheck.com/advisories/openclaw-tool-policy-bypass-via-bundled-mcp-lsp-tools

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44998", "sourceIdentifier": "[email protected]", "published": "2026-05-11T18:16:39.817", "lastModified": "2026-05-12T14:19:41.400", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions. Attackers with local agent access can append restricted tools to the effective tool set after policy filtering, bypassing profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/openclaw/openclaw/commit/0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada", "source": "[email protected]"}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qrp5-gfw2-gxv4", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/openclaw-tool-policy-bypass-via-bundled-mcp-lsp-tools", "source": "[email protected]"}]}}