GHSA-qrp5-gfw2-gxv4

Suggest an improvement
Source
https://github.com/advisories/GHSA-qrp5-gfw2-gxv4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-qrp5-gfw2-gxv4/GHSA-qrp5-gfw2-gxv4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qrp5-gfw2-gxv4
Downstream
Published
2026-04-25T23:50:38Z
Modified
2026-05-05T16:10:12.092621Z
Severity
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy
Details

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: < 2026.4.20
  • Patched version: 2026.4.20

Impact

Bundled MCP and LSP tools could be appended to the agent's effective tool set after the normal tool-policy pipeline had already filtered core tools. If an operator configured a restrictive policy, such as a tool profile, explicit allow/deny list, owner-only tool restriction, sandbox tool policy, or subagent tool policy, a bundled MCP/LSP tool could remain available even though the same policy would have denied it.

The issue required a configured bundled MCP or LSP tool source and an operator policy that should have restricted that tool. This was a local agent policy-enforcement bypass, not an unauthenticated remote gateway compromise. Severity is medium.

Fix

OpenClaw now applies a final effective tool policy pass to bundled MCP/LSP tools before merging them into the tool set used by normal runs and compaction. The pass covers profile policy, provider profile policy, global/agent/group policies, owner-only filtering, sandbox tool policy, and subagent tool policy.

Fix commit:

  • 0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada

Release

Fixed in OpenClaw 2026.4.20.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-25T23:50:38Z",
    "cwe_ids": [
        "CWE-862"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.4.20

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-qrp5-gfw2-gxv4/GHSA-qrp5-gfw2-gxv4.json"