CVE-2026-53814
8.3 HIGHOpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped ...
Published: 2026-06-11 · Last updated: 2026-06-11
Severity and scoring
- CVSS
- 8.3 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
- CWE
- CWE-266
Description
OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a valid hook token can exploit the /hooks/agent endpoint to cause spawned CLI runtimes to access or invoke owner-only MCP tools, potentially executing privileged actions like persistent cron state modifications.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-49060 — Incorrect Privilege Assignment vulnerability in Hippoo Mobile App for WooCommerce allows Privilege Escalation (9.8 CRITICAL)
- CVE-2026-47169 — Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support
- CVE-2026-11620 — A security flaw has been discovered in TOTOLINK EX200 4.0.3c.7646 (5.3 MEDIUM)
- CVE-2026-11619 — A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2 (6.3 MEDIUM)
- CVE-2026-11555 — A vulnerability was identified in D-Link DGS-1100-08PD 1.00.006 (3.7 LOW)