high · 8.4CVE-2026-53814Jul 2, 2026

CVE-2026-53814: openclaw Hook-Triggered CLI Privilege Escalation to Owner MCP Scope

Rohit Hatagale
AI Security Researcher, SecureLayer7

Anyone holding an openclaw hook token can trigger an agent run that silently receives full owner-level MCP tool authority, letting an outsider call tools that should only be available to the instance

Packageopenclaw
Ecosystemnpm
Affected< 2026.5.20
Fixed in2026.5.20

The problem

The `/hooks/agent` ingress endpoint accepts a hook token and can spawn a bundled CLI backend for the triggered run. Before 2026.5.20, that CLI runtime was handed the same owner-scoped MCP loopback bearer token used for interactive owner sessions.

This meant hook-token callers, who should operate at a lower trust level, could reach and invoke MCP tools gated behind owner-only authority. The reported proof of impact used persistent cron state as a representative owner-only action, but the scope of exposure depends on which MCP tools are configured.

Proof of concept

A working proof-of-concept for CVE-2026-53814 in openclaw, with the exact payload below.

http
POST /hooks/agent HTTP/1.1
Host: <openclaw-gateway>:3000
Content-Type: application/json
Authorization: Bearer <hook-token>

{
  "backend": "cli",
  "message": "cron list --json"
}

The root cause is that the hook ingress path shared the same MCP loopback bearer token as the owner session rather than minting a reduced-scope token. Because the CLI runtime used that token to authenticate against the MCP loopback server, the `senderIsOwner` flag was derived as `true`, granting the hook-triggered run owner-tool access it should never have held.

A closely related advisory (CVE-2026-44118) patched the same class of bug one release earlier: the MCP loopback server trusted a client-supplied `senderIsOwner` header with no server-side validation. The 2026.5.20 fix closes the hook-specific variant by ensuring CLI backends spawned from hook ingress are issued a non-owner token, so owner-only tools are unreachable regardless of which backend is selected.

CWE-272 (Least Privilege Violation), CWE-266 (Incorrect Privilege Assignment), and CWE-284 (Improper Access Control) all apply.

The fix

Upgrade to `openclaw@2026.5.20` or later (`npm install -g openclaw@2026.5.20`). As a defense-in-depth measure: treat hook tokens as secrets, restrict network access to the hook endpoint, and disable hooks entirely when not in use (`openclaw hooks disable <name>`).

Reported by VladimirEliTokarev.

References: [1][2][3][4]

Related research