3 matches found
EUVD-2026-36324
OpenClaw: MCP loopback could skip owner-only tool policy for non-owner callers...
PT-2026-48748
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.24 Description An authorization bypass exists in the MCP loopback feature. This allows non-owner callers to circumvent owner-only tool policies and before-tool-call hooks. When the feature is enabled and...
It is expected that some functions may require either Owner or Delegate as callers. Now only three access options are available: onlyOwner, onlyDelegate, anyone.
Handle Sherlock Vulnerability details Impact That is strange behavior that some functions are available for a Delegate, but not available for an owner himself. Like lock and unlock - according to the understanding of the Visor's design, these functions should be available for the owner as well...