CVE-2026-53814: openclaw Hook-Triggered CLI Privilege Escalation to Owner MCP Scope
Anyone holding an openclaw hook token can trigger an agent run that silently receives full owner-level MCP tool authority, letting an outsider call tools that should only be available to the instance
The problem
The `/hooks/agent` ingress endpoint accepts a hook token and can spawn a bundled CLI backend for the triggered run. Before 2026.5.20, that CLI runtime was handed the same owner-scoped MCP loopback bearer token used for interactive owner sessions.
This meant hook-token callers, who should operate at a lower trust level, could reach and invoke MCP tools gated behind owner-only authority. The reported proof of impact used persistent cron state as a representative owner-only action, but the scope of exposure depends on which MCP tools are configured.
Proof of concept
A working proof-of-concept for CVE-2026-53814 in openclaw, with the exact payload below.
POST /hooks/agent HTTP/1.1
Host: <openclaw-gateway>:3000
Content-Type: application/json
Authorization: Bearer <hook-token>
{
"backend": "cli",
"message": "cron list --json"
}The root cause is that the hook ingress path shared the same MCP loopback bearer token as the owner session rather than minting a reduced-scope token. Because the CLI runtime used that token to authenticate against the MCP loopback server, the `senderIsOwner` flag was derived as `true`, granting the hook-triggered run owner-tool access it should never have held.
A closely related advisory (CVE-2026-44118) patched the same class of bug one release earlier: the MCP loopback server trusted a client-supplied `senderIsOwner` header with no server-side validation. The 2026.5.20 fix closes the hook-specific variant by ensuring CLI backends spawned from hook ingress are issued a non-owner token, so owner-only tools are unreachable regardless of which backend is selected.
CWE-272 (Least Privilege Violation), CWE-266 (Incorrect Privilege Assignment), and CWE-284 (Improper Access Control) all apply.
The fix
Upgrade to `openclaw@2026.5.20` or later (`npm install -g openclaw@2026.5.20`). As a defense-in-depth measure: treat hook tokens as secrets, restrict network access to the hook endpoint, and disable hooks entirely when not in use (`openclaw hooks disable <name>`).
Reported by VladimirEliTokarev.
Related research
- high · 7.1CVE-2026-53831: openclaw system.run Safe-Bin Allowlist Bypass via Shell Expansion
- high · 8.8CVE-2026-53810CVE-2026-53810: openclaw Marketplace Runtime Extension Metadata Code Injection
- highCVE-2026-53832: openclaw Trusted-Proxy Identity Header Forgery via Same-Host Loopback
- high · 8CVE-2026-53817CVE-2026-53817: openclaw Control UI Locality Spoofing to Admin Token Mint