Lucene search
K

8 matches found

OSV
OSV
added 6 days ago6 views

GHSA-QH2F-99MV-MRCF OpenClaw: Bundle MCP loopback could miss its exec denylist on session spawn

Summary Bundle MCP loopback could miss its exec denylist on session spawn. In affected versions, a caller that can reach the affected bundled MCP session-spawn path could bypass the denylist that was intended for that loopback MCP entry point. This advisory is scoped to the named feature and...

6.9CVSS6AI score0.00094EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/13 12:34 a.m.9 views

EUVD-2026-36608

OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attackers can reach the affected bundled MCP session-spawn path to start sessions with broader command...

6.9CVSS5.2AI score0.00094EPSS
Exploits0References3
NVD
NVD
added 2026/06/12 10:16 p.m.14 views

CVE-2026-53820

OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attackers can reach the affected bundled MCP session-spawn path to start sessions with broader command...

6.9CVSS0.00094EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/12 9:56 p.m.8 views

CVE-2026-53826 OpenClaw < 2026.4.26 - Information Disclosure via Sandboxed Session Spawn

OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace path to child prompts. Attackers can exploit this by spawning child sessions from sandboxed parents to reveal host workspace location or related memory context ...

4.3CVSS5.3AI score0.00187EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 9:56 p.m.36 views

CVE-2026-53826 OpenClaw < 2026.4.26 - Information Disclosure via Sandboxed Session Spawn

OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace path to child prompts. Attackers can exploit this by spawning child sessions from sandboxed parents to reveal host workspace location or related memory context ...

4.3CVSS0.00187EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 9:56 p.m.22 views

CVE-2026-53820

OpenClaw contains an exec denylist bypass in the bundle MCP loopback session-spawn path prior to version 2026.5.12. This allows authenticated callers to bypass command restrictions and initiate sessions with broader command reach than intended. Affected component: bundle MCP session-spawn; root c...

6.9CVSS5.3AI score0.00094EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/12 9:56 p.m.10 views

CVE-2026-53820 OpenClaw < 2026.5.12 - Exec Denylist Bypass in Bundle MCP Loopback Session Spawn

OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attackers can reach the affected bundled MCP session-spawn path to start sessions with broader command...

6.9CVSS5.2AI score0.00094EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.14 views

PT-2026-49024

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.12 Description An exec denylist bypass exists in the bundle MCP loopback session-spawn path. This allows authenticated callers to bypass intended command restrictions and start sessions with broader command...

6.9CVSS5.2AI score0.00094EPSS
Exploits0References4
Rows per page
Query Builder