CVE-2026-62199

OpenClaw · OpenClaw

OpenClaw is vulnerable to an authentication bypass caused by an incomplete list of disallowed inputs within the application's environment filtering mechanism.

Executive summary

An authentication bypass flaw in OpenClaw allows attackers with low privileges to circumvent security filters and potentially gain unauthorized access.

Vulnerability

This issue is classified as CWE-184 (Incomplete List of Disallowed Inputs). By providing specific inputs that the filtering mechanism fails to block, an authenticated user can bypass security checks, leading to unauthorized access.

Business impact

The ability to bypass authentication mechanisms is a critical risk that undermines the entire security posture of the OpenClaw platform. With a CVSS score of 8.8, this vulnerability allows for unauthorized data access and potential lateral movement, which could lead to significant data breaches or loss of sensitive organizational information.

Remediation

Immediate Action: Update OpenClaw to version 2026.6.6 or higher to ensure the environment filtering logic is correctly implemented.

Proactive Monitoring: Monitor system logs for repeated failed authentication attempts or suspicious input patterns that may indicate an attempt to bypass security filters.

Compensating Controls: Deploy a Web Application Firewall (WAF) configured to inspect and block malformed requests that target the application's environment configuration.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Immediate remediation is required to close this authentication bypass vector. Administrators must apply the version 2026.6.6 update immediately to prevent unauthorized actors from circumventing core security controls.