CVE-2026-44998: OpenClaw < 2026.4.20 - Tool Policy Bypass via Bundled MCP/LSP Tools

Published May 11, 2026
·
Updated

OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions. Attackers with local agent access can append restricted tools to the effective tool set after policy filtering, bypassing profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies.

Affected Software

2 affected components
OpenClaw OpenClaw<2026.4.20
OpenClaw Openclaw Node.js<2026.4.20

Remediation

Patch Available

https://github.com/openclaw/openclaw/commit/0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada

Patch Available

https://www.vulncheck.com/advisories/openclaw-tool-policy-bypass-via-bundled-mcp-lsp-tools

Event History

May 11, 2026
CVE Published
via MITRE·04:46 PM
Data Sourced
via MITRE·04:46 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·06:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-44998?

CVE-2026-44998 is classified as a medium severity vulnerability due to its potential for exploitation by local attackers.

2

How do I fix CVE-2026-44998?

To fix CVE-2026-44998, upgrade OpenClaw to version 2026.4.20 or later.

3

What does CVE-2026-44998 affect?

CVE-2026-44998 affects OpenClaw versions prior to 2026.4.20, specifically concerning tool policy configurations.

4

Who can exploit CVE-2026-44998?

Attackers with local agent access can exploit CVE-2026-44998 to bypass tool restrictions.

5

What type of vulnerability is CVE-2026-44998?

CVE-2026-44998 is a tool policy bypass vulnerability that allows unauthorized access to restricted tools.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203