AI Threat Alert
GHSA-qrp5-gfw2-gxv4: openclaw: tool policy bypass via bundled MCP/LSP tools
GHSA-qrp5-gfw2-gxv4 MEDIUMA missing authorization check in OpenClaw (npm) allows bundled MCP and LSP tools to be injected into an agent's effective tool set after operator-configured access policies have already been evaluated, silently defeating restrictive controls such as sandbox policies, allowlists, owner-only restrictions, and subagent tool policies. While exploitation requires local configuration (a configured bundled tool source plus a restrictive policy), the impact for organizations relying on OpenClaw's tool restriction mechanisms for least-privilege enforcement in agentic pipelines is significant — your intended security boundary simply does not hold. With 135 other CVEs already attributed to this package and a documented real-world incident (AIID #1368) involving malicious skill delivery through OpenClaw's tool ecosystem, this package carries compounding risk that warrants elevated scrutiny beyond this single advisory. Upgrade to openclaw 2026.4.20 immediately; until patched, audit all configured bundled MCP and LSP tool sources and review agent execution logs for unexpected tool invocations.
What is the risk?
Medium severity with constrained but meaningful blast radius. Exploitation requires two co-present conditions — a configured bundled MCP or LSP tool source and an operator-defined restrictive policy — limiting the affected surface to intentionally hardened deployments. No EPSS data is available, no public exploit exists, and the vulnerability is not in CISA KEV. Risk is elevated in multi-tenant or compliance-oriented environments where tool policies enforce privilege separation or regulatory boundaries, where a silent bypass could enable tools with file system access, external write capabilities, or credential access to execute unchecked. The 135 CVEs in the same package signal systemic security debt.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | < 2026.4.20 | 2026.4.20 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Upgrade openclaw to version 2026.4.20 or later immediately — the fix applies a final effective tool policy pass to bundled MCP/LSP tools before merging.
-
Until patched, audit all active bundled MCP and LSP tool configurations and remove non-essential tool sources to reduce exposure.
-
Review agent execution logs for unexpected tool invocations that should have been blocked by configured policies.
-
For compliance-sensitive deployments (ISO 42001, EU AI Act), document this control failure as a gap finding and include patch validation in your next compliance review cycle.
-
Post-patch, re-validate policy enforcement by explicitly testing that known-restricted tools are denied under each active policy type (sandbox, allowlist, subagent).
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-qrp5-gfw2-gxv4?
A missing authorization check in OpenClaw (npm) allows bundled MCP and LSP tools to be injected into an agent's effective tool set after operator-configured access policies have already been evaluated, silently defeating restrictive controls such as sandbox policies, allowlists, owner-only restrictions, and subagent tool policies. While exploitation requires local configuration (a configured bundled tool source plus a restrictive policy), the impact for organizations relying on OpenClaw's tool restriction mechanisms for least-privilege enforcement in agentic pipelines is significant — your intended security boundary simply does not hold. With 135 other CVEs already attributed to this package and a documented real-world incident (AIID #1368) involving malicious skill delivery through OpenClaw's tool ecosystem, this package carries compounding risk that warrants elevated scrutiny beyond this single advisory. Upgrade to openclaw 2026.4.20 immediately; until patched, audit all configured bundled MCP and LSP tool sources and review agent execution logs for unexpected tool invocations.
Is GHSA-qrp5-gfw2-gxv4 actively exploited?
No confirmed active exploitation of GHSA-qrp5-gfw2-gxv4 has been reported, but organizations should still patch proactively.
How to fix GHSA-qrp5-gfw2-gxv4?
1. Upgrade openclaw to version 2026.4.20 or later immediately — the fix applies a final effective tool policy pass to bundled MCP/LSP tools before merging. 2. Until patched, audit all active bundled MCP and LSP tool configurations and remove non-essential tool sources to reduce exposure. 3. Review agent execution logs for unexpected tool invocations that should have been blocked by configured policies. 4. For compliance-sensitive deployments (ISO 42001, EU AI Act), document this control failure as a gap finding and include patch validation in your next compliance review cycle. 5. Post-patch, re-validate policy enforcement by explicitly testing that known-restricted tools are denied under each active policy type (sandbox, allowlist, subagent).
What systems are affected by GHSA-qrp5-gfw2-gxv4?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, MCP/LSP tool integrations, sandboxed agentic pipelines, multi-agent orchestration.
What is the CVSS score for GHSA-qrp5-gfw2-gxv4?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.005 AI Agent Tool AML.T0053 AI Agent Tool Invocation AML.T0084.001 Tool Definitions AML.T0107 Exploitation for Defense Evasion Compliance Controls Affected
What are the technical details?
Original Advisory
## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Bundled MCP and LSP tools could be appended to the agent's effective tool set after the normal tool-policy pipeline had already filtered core tools. If an operator configured a restrictive policy, such as a tool profile, explicit allow/deny list, owner-only tool restriction, sandbox tool policy, or subagent tool policy, a bundled MCP/LSP tool could remain available even though the same policy would have denied it. The issue required a configured bundled MCP or LSP tool source and an operator policy that should have restricted that tool. This was a local agent policy-enforcement bypass, not an unauthenticated remote gateway compromise. Severity is medium. ## Fix OpenClaw now applies a final effective tool policy pass to bundled MCP/LSP tools before merging them into the tool set used by normal runs and compaction. The pass covers profile policy, provider profile policy, global/agent/group policies, owner-only filtering, sandbox tool policy, and subagent tool policy. Fix commit: - `0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada` ## Release Fixed in OpenClaw `2026.4.20`.
Exploitation Scenario
An operator configures OpenClaw with a restrictive sandbox tool policy to limit an agent to a read-only tool set for a compliance-sensitive workflow. A bundled MCP server — such as a development-time file-write or external API integration tool — is also present in the agent's tool source configuration. Due to the policy enforcement gap, the bundled MCP tool is merged into the agent's effective tool set after the policy filter runs, making it silently available. An adversary with prompt injection access, or the agent acting on a malicious indirect instruction (e.g., from poisoned document content), invokes the unrestricted file-write tool — bypassing the operator's explicit sandbox restriction and potentially exfiltrating data, modifying configuration files, or establishing persistence in the host environment.
Weaknesses (CWE)
CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
- [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
- [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-32038 9.8 Analysis pending
Same package: openclaw