GHSA-QRP5-GFW2-GXV4: Security Policy Bypass in OpenClaw via Bundled MCP/LSP Tools

OpenClaw is an agent platform that utilizes various tools to interact with the environment, managed through strict security policies. These policies govern tool execution based on allowlists, denylists, and owner-only restrictions to prevent unauthorized actions. The orchestration pipeline is responsible for merging core tools and bundled tools, such as those provided by the Model Context Protocol (MCP) and Language Server Protocol (LSP).

A logic flaw identified as GHSA-QRP5-GFW2-GXV4 exists within the tool aggregation mechanism of the embedded runner. The vulnerability is classified as an authorization bypass (CWE-863) and improper authorization (CWE-285). The system implements a merge-after-filter anti-pattern, where security policies are applied exclusively to core tools before external tools are appended to the execution environment.

Consequently, any bundled MCP or LSP tool introduced into the environment operates entirely outside the defined security boundaries. The platform implicitly trusts the execution context of these bundled tools, granting them unrestricted access to the underlying system. This failure in the authorization pipeline allows attackers to execute administrative or restricted tools despite explicit policy prohibitions.

The primary vulnerability resides in the agent orchestration files src/agents/pi-embedded-runner/compact.ts and run/attempt.ts, where the agent constructs the effectiveTools array. The application logic executes an array concatenation operation that merges core tools with bundled MCP and LSP tools. The core tools are processed through the createOpenClawCodingTools() function, which strictly enforces the tool-policy pipeline against the available tools.

However, the bundled tool arrays, specifically bundleMcpRuntime?.tools and bundleLspRuntime?.tools, are appended to the core tool list after the filtering phase completes. This ordering guarantees that the bundled tools never undergo policy evaluation. The runner environment unconditionally accepts the aggregated list as verified, allowing any tool prefix matching mcp__ or lsp__ to bypass sandbox restrictions, explicit denylists, and execution scoping limits.

A secondary authorization flaw compounds the primary vulnerability by trusting client-provided identity signals without server-side validation. The application accepts the groupId and senderIsOwner parameters directly from incoming HTTP requests without verifying them against authenticated session metadata. Callers can arbitrarily assert administrative ownership or group membership, which the system then utilizes during policy evaluation for the core tools.

An analysis of the vulnerable implementation demonstrates the flawed array concatenation logic. The original code aggregates the tools into a single array, operating under the assumption that the source objects are either previously validated or intrinsically safe. The core tools are successfully filtered, but the spread syntax for the MCP and LSP runtimes operates on raw, unvalidated arrays.

// VULNERABLE CODE (Simplified)
const effectiveTools = [
  ...tools, // Core tools, already filtered by policy
  ...(bundleMcpRuntime?.tools ?? []), // Bundled MCP tools, UNFILTERED
  ...(bundleLspRuntime?.tools ?? []), // Bundled LSP tools, UNFILTERED
];

The patch introduced in commit 0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada restructures the pipeline to enforce a strict policy evaluation sequence. The developers introduced the applyFinalEffectiveToolPolicy function, which accepts the combined raw toolset and processes every element through the global, agent-specific, group-scoped, and sandbox policies.

// PATCHED CODE (Simplified)
const rawTools = [
  ...tools,
  ...(bundleMcpRuntime?.tools ?? []),
  ...(bundleLspRuntime?.tools ?? []),
];
// All tools are explicitly subjected to the security pipeline
const effectiveTools = applyFinalEffectiveToolPolicy(rawTools, sessionPolicies);

Furthermore, the patch addresses the identity spoofing vector by implementing resolveTrustedGroupId and modifying gateway behavior. In src/gateway/server-methods/send.ts, the senderIsOwner flag is now strictly overridden to false for any caller lacking the ADMIN_SCOPE privilege. The resolveTrustedGroupId function explicitly extracts cryptographic bounds from the sessionKey and rejects mismatched user inputs.

Exploitation of this vulnerability requires the attacker to possess the ability to initiate an agent session or transmit a message action within an environment utilizing bundled MCP or LSP runtimes. The attacker does not require administrative privileges or extensive system access, provided the network exposes the OpenClaw API endpoint. The attack relies entirely on standard interaction mechanisms provided by the agent platform.

The attacker begins by enumerating the available bundled tools within the target agent configuration. By monitoring system responses or reviewing exposed agent definitions, the attacker identifies tools such as mcp__bundle__fs_delete or comparable utility operations. The attacker recognizes that these tools are active within the MCP/LSP runtime, regardless of the overarching tools.allow environmental restrictions.

To trigger the vulnerability, the attacker formulates a message.action payload explicitly targeting the identified bundled tool. The payload is transmitted to the OpenClaw server API. Upon receiving the request, the agent resolves the tool from the effectiveTools array and executes the requested command. The execution occurs with the agent's service account privileges, successfully circumventing the intended security boundaries.

The successful exploitation of this vulnerability compromises the authorization architecture of the OpenClaw agent platform. Security engineers rely on tools.allow and tools.deny configurations to restrict agent capabilities, particularly in multi-tenant or strictly sandboxed environments. This bypass nullifies those configurations, exposing the underlying environment to unauthorized operations that were explicitly disabled by the operator.

An attacker leveraging this flaw can perform arbitrary actions supported by the active MCP and LSP runtimes. Depending on the specific tools bundled with the runtime, this results in unauthorized file system access, lateral network request generation, or extraction of sensitive process environment variables. The destructive capabilities are bounded exclusively by the functional scope of the exposed tools.

The vulnerability additionally enables privilege escalation via the unverified senderIsOwner signal. Prior to the patch, the ability to spoof ownership permits an attacker to execute core tools restricted strictly to administrative users. Combined with the unfiltered tool array, these flaws represent a complete collapse of the zero-trust execution model intended for external tool integrations.

The vulnerability is resolved in the April 17, 2026 update of the OpenClaw platform. Organizations must apply the release containing commit 0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada to secure their agent environments. The patch redesigns the authorization pipeline and mandates strict server-side verification of all incoming identity signals.

If immediate patching is unachievable, security teams must implement network-level filtering to block unauthorized message.action payloads targeting bundled tools. Administrators should review all agent configurations and temporarily disable bundled MCP and LSP runtimes unless strictly necessary. This operational change reduces the exposed attack surface by removing the unfiltered tool execution path from the active environment.

Detection engineers must deploy monitoring rules to identify anomalous tool execution patterns. Security Information and Event Management (SIEM) systems should generate alerts on the execution of tools prefixed with mcp__ or lsp__ within restricted segments. Operators must monitor OpenClaw server logs for the specific warning message effective tool policy: dropping caller-provided groupId that does not match session-derived group context, which serves as a definitive indicator of an ongoing exploitation attempt.