CVE-2026-62195

OpenClaw · OpenClaw

OpenClaw contains an authorization bypass vulnerability via MCP loopback, allowing authenticated users to perform unauthorized actions with elevated privileges.

Executive summary

An authorization bypass flaw in OpenClaw versions 2026.5.20 to 2026.6.5 enables authenticated users to gain unauthorized access to critical resources.

Vulnerability

The vulnerability is categorized as an Incorrect Permission Assignment for Critical Resource (CWE-732). It allows an authenticated user to bypass authorization checks via an MCP loopback mechanism, leading to potential unauthorized data access or modification.

Business impact

Successful exploitation results in unauthorized access to sensitive data or critical system functions, posing a high risk to data integrity and confidentiality. Given the CVSS score of 8.3, this flaw enables a low-privileged user to escalate their capabilities, which could lead to severe organizational data breaches or unauthorized system control.

Remediation

Immediate Action: Upgrade the OpenClaw instance to version 2026.6.6 or later to ensure the proper authorization logic is enforced.

Proactive Monitoring: Review application and system access logs for anomalous patterns or unexpected privileged actions performed by standard users.

Compensating Controls: Ensure that the application is not exposed to untrusted networks and utilize strict identity and access management (IAM) policies to limit the potential blast radius of compromised accounts.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

This is a high-severity authorization bypass issue that requires immediate attention. Security teams must verify their current version of OpenClaw and apply the 2026.6.6 update as soon as possible to prevent unauthorized access.