CVE-2026-44118 Overview
CVE-2026-44118 is an authentication bypass vulnerability in OpenClaw versions before 2026.4.22. The flaw resides in the gateway component, which derives loopback Model Context Protocol (MCP) owner context from spoofable server-issued bearer tokens passed in request headers. A non-owner loopback client can manipulate the sender-owner header metadata to present itself as the owner, bypassing owner-gated operations. The vulnerability is tracked as CWE-290: Authentication Bypass by Spoofing.
Critical Impact
Local attackers with low privileges can escalate to owner context, gaining unauthorized access to owner-restricted MCP operations and sensitive runtime state.
Affected Products
- OpenClaw versions prior to 2026.4.22
- OpenClaw gateway CLI backend (gateway-cli-backend)
- OpenClaw MCP loopback runtime
Discovery Timeline
- 2026-05-06 - CVE-2026-44118 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-44118
Vulnerability Analysis
The vulnerability stems from how the OpenClaw gateway determines whether an MCP loopback client should be treated as the session owner. Prior to the patch, the gateway propagated the boolean OPENCLAW_MCP_SENDER_IS_OWNER environment variable alongside a single shared OPENCLAW_MCP_TOKEN to spawned CLI processes. The owner context was effectively asserted by header metadata rather than cryptographic proof.
Because the sender-owner indicator was carried in client-controllable header metadata, a non-owner loopback client could declare itself as the owner. The MCP server accepted the spoofed claim and authorized owner-only operations. This breaks the trust boundary between owner and non-owner loopback clients sharing the same host.
Root Cause
The root cause is conflation of authentication with self-asserted metadata. The gateway issued one bearer token usable by both owner and non-owner contexts, then relied on a separate header flag to distinguish them. Anyone holding the shared token could set the flag arbitrarily.
Attack Vector
Exploitation requires local access and low privileges on a host running OpenClaw. An attacker with a non-owner loopback session manipulates the sender-owner header metadata when issuing requests to the MCP endpoint. The gateway honors the spoofed claim and grants owner-gated functionality, resulting in high impact to confidentiality, integrity, and availability of the MCP session.
// Patch: src/agents/cli-runner/prepare.ts
: undefined,
env: mcpLoopbackRuntime
? {
- OPENCLAW_MCP_TOKEN: mcpLoopbackRuntime.token,
+ OPENCLAW_MCP_TOKEN:
+ params.senderIsOwner === true
+ ? mcpLoopbackRuntime.ownerToken
+ : mcpLoopbackRuntime.nonOwnerToken,
OPENCLAW_MCP_AGENT_ID: sessionAgentId ?? "",
OPENCLAW_MCP_ACCOUNT_ID: params.agentAccountId ?? "",
OPENCLAW_MCP_SESSION_KEY: params.sessionKey ?? "",
OPENCLAW_MCP_MESSAGE_CHANNEL: params.messageProvider ?? "",
- OPENCLAW_MCP_SENDER_IS_OWNER: params.senderIsOwner === true ? "true" : "false",
}
: undefined,
warn: (message) => cliBackendLog.warn(message),
Source: GitHub commit 3cb1a56. The fix replaces the single shared token plus owner-flag scheme with two distinct tokens (ownerToken and nonOwnerToken), so owner context is derived from which token the client presents rather than a header claim.
Detection Methods for CVE-2026-44118
Indicators of Compromise
- Loopback MCP requests where the sender-owner or equivalent header is set to true from a process that was not authorized as owner.
- Unexpected owner-only MCP operations (privileged tool calls, configuration changes) initiated from non-owner agent sessions.
- OpenClaw gateway logs showing owner-gated actions correlated with multiple distinct loopback PIDs in a short window.
Detection Strategies
- Audit OpenClaw gateway logs for owner-context operations and correlate against the originating CLI runner process and session key.
- Inspect the OPENCLAW_MCP_SENDER_IS_OWNER environment variable on running CLI runner processes; in patched deployments this variable should no longer be present.
- Compare bearer tokens used on inbound MCP loopback requests against the issued ownerToken to detect reuse of a shared token.
Monitoring Recommendations
- Forward OpenClaw gateway and MCP loopback runtime logs to a centralized log store and alert on owner-gated operations originating from non-owner sessions.
- Monitor process creation events for cli-runner invocations and capture environment variables to identify pre-patch deployments.
- Track installed OpenClaw versions across the fleet and alert on any host running a release older than 2026.4.22.
How to Mitigate CVE-2026-44118
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.22 or later on every host running the gateway or CLI runner.
- Rotate any MCP loopback bearer tokens issued by pre-patch versions, since they were shared across owner and non-owner contexts.
- Restrict local access to hosts running OpenClaw to trusted users until the upgrade is complete.
Patch Information
The fix is implemented in GitHub commit 3cb1a56 and described in GitHub Security Advisory GHSA-r6xh-pqhr-v4xh. The patch modifies src/agents/cli-runner/prepare.ts and src/gateway/gateway-cli-backend.live-helpers.ts to issue distinct ownerToken and nonOwnerToken values and to derive owner context from the presented bearer token via resolveMcpLoopbackBearerToken. Additional context is available in the VulnCheck advisory.
Workarounds
- If immediate upgrade is not possible, prevent untrusted local users from creating non-owner loopback sessions on hosts running OpenClaw.
- Disable or firewall the MCP loopback endpoint where owner-gated operations are not required for normal workflows.
- Apply host-level access controls so only the intended owner principal can reach the gateway loopback socket.
# Verify installed version and upgrade
openclaw --version
npm install -g openclaw@2026.4.22
# Confirm the deprecated owner flag is no longer set on running runners
ps -eo pid,command | grep cli-runner
cat /proc/<pid>/environ | tr '\0' '\n' | grep OPENCLAW_MCP_SENDER_IS_OWNER
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
