Main Vulnerability Database Vulnerabilities #VU132770

Improper access control in OpenClaw - #VU132770

Published: May 29, 2026

Vulnerability identifier: #VU132770

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to access bundled tools outside the intended provider policy.

The vulnerability exists due to improper access control in embedded runner policy handling when processing requests that use provider aliases. A remote user can send a request using provider aliases to access bundled tools outside the intended provider policy.

Only deployments where the affected feature is enabled and reachable are exposed, and practical impact depends on whether lower-trust input can reach the affected path.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-p39j-x9h5-q66m

Improper access control in OpenClaw - #VU132770

Detailed vulnerability description

Remediation

Sources

Please verify you're human