GHSA-QRP5-GFW2-GXV4: GHSA-QRP5-GFW2-GXV4: Security Policy Bypass in OpenClaw via Bundled MCP/LSP …

📰

GHSA-QRP5-GFW2-GXV4: GHSA-QRP5-GFW2-GXV4: Security Policy Bypass in OpenClaw via Bundled MCP/LSP Tools

DEV Community·CVE Reports·about 1 month ago

#security #cve #cybersecurity #ghsa #openclaw #bundled

Reading 0:00

15s threshold

GHSA-QRP5-GFW2-GXV4: Security Policy Bypass in OpenClaw via Bundled MCP/LSP Tools Vulnerability ID: GHSA-QRP5-GFW2-GXV4 CVSS Score: Not Assigned Published: 2026-04-25 A logic flaw in the OpenClaw agent platform's tool orchestration pipeline allowed bundled Model Context Protocol (MCP) and Language Server Protocol (LSP) tools to bypass all configured security policies. The vulnerability stems from a merge-after-filter implementation defect, resulting in unauthorized tool execution. TL;DR OpenClaw failed to apply security policies to bundled MCP/LSP tools, allowing attackers to bypass allowlists and execute restricted operations. The patch introduces strict server-side validation and enforces the policy pipeline on all tool types.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

GHSA-QRP5-GFW2-GXV4: GHSA-QRP5-GFW2-GXV4: Security Policy Bypass in OpenClaw via Bundled MCP/LSP Tools