OpenClaw Tool Policy Bypass Vulnerability via Bundled MCP and LSP Tools

A tool policy bypass vulnerability has been identified in OpenClaw versions prior to 2026.4.20. This vulnerability allows bundled MCP and LSP tools to circumvent established tool restrictions. Attackers with local agent access can append restricted tools to the effective tool set after the initial policy filtering, thereby bypassing various profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies.

Impact

Exploitation of this vulnerability could lead to unauthorized tools being available to an agent, allowing actions that should have been restricted by the tool policy. This could include bypassing owner-only tool restrictions and manipulating sandbox or subagent policies.

Reproduction

To reproduce this vulnerability, an operator must configure a policy that restricts certain tools, such as an allow/deny list or owner-only restrictions. Then, a bundled MCP or LSP tool that should be restricted can be appended to the effective tool set, circumventing the established policy.

Remediation

Users can update to OpenClaw version 2026.4.20 or later, where this vulnerability has been patched.