Vulnerability  ·  2026-07-18

OpenClaw Hooks allowedAgentIds Bypass via Blank Agent ID (CVE-2026-62219)

VulnerabilityMedium impactGlobalCVE-2026-62219
OpenClaw 2026.2.12 before 2026.5.26 contains an authorization bypass vulnerability in the hooks allowedAgentIds validation. A lower-trust caller or configured input path can bypass agent ID restrictions by submitting blank agent IDs, allowing actions that should require stronger authorization or policy checks. NVD published 2026-07-16/17, CVSS 7.1 (High, CVSS v3.1).
Agent-ID-based access restriction is a foundational control in multi-agent OpenClaw deployments for segregating which agents can trigger which hooks/actions; a trivial blank-value bypass undermines that isolation and could let an unauthorized or lower-trust agent trigger hook-gated actions intended only for specific authorized agent identities.
Submitting a blank/empty agentId value to hooks validation logic to bypass allowedAgentIds restriction checks
OpenClaw 2026.2.12 before 2026.5.26
Upgrade to OpenClaw 2026.5.26 or later; see GitHub security advisory GHSA-724r-v4wf-mqc5
GitHub Security Advisory GHSA-724r-v4wf-mqc5NVD CVE-2026-62219
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →