CVE-2026-62190 in OpenClawinfo

Summary

by MITRE • 07/14/2026

OpenClaw versions before 2026.6.9 contain an authorization bypass vulnerability in the flock wrapper that allows lower-trust callers to execute or persist actions beyond their intended authorization. Attackers can leverage configured input paths to bypass durable exec approval binding and perform unauthorized operations when the affected feature is enabled.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

The OpenClaw software ecosystem presents a critical authorization bypass vulnerability within its flock wrapper component that fundamentally undermines the security boundaries designed to protect system integrity. This flaw exists in versions prior to 2026.6.9 and represents a significant weakness in the access control mechanisms that govern privilege escalation and persistent operation execution. The vulnerability operates at the core of the software's authorization framework where trusted callers should be strictly limited to their designated operational scope.

The technical implementation of this flaw resides in how the flock wrapper handles authentication tokens and access validation during runtime operations. When configured input paths are utilized, the system fails to properly validate the trust level of incoming requests, creating a pathway for lower-privilege entities to impersonate higher-trust callers. This bypass mechanism specifically targets the durable exec approval binding process that should normally enforce strict authorization checks before allowing execution or persistence actions. The vulnerability manifests as a failure in the access control decision-making logic where the system incorrectly grants elevated privileges based on incomplete validation of caller credentials.

The operational impact of this vulnerability extends far beyond simple privilege escalation, creating persistent security risks that can be exploited for extended periods without detection. Attackers who successfully leverage this bypass can execute arbitrary code with elevated privileges, establish persistence mechanisms, and perform operations that should be restricted to authorized administrative users only. The affected feature's enablement status creates a conditional risk profile where the vulnerability becomes exploitable only when specific configuration parameters are in place, but once activated, provides attackers with substantial control over system resources.

This authorization bypass vulnerability aligns with CWE-285 which addresses improper authorization issues in software systems and demonstrates characteristics consistent with ATT&CK technique T1078 for valid accounts and T1546 for event trigger. The flaw represents a classic case of insufficient access control validation where the system fails to properly verify caller identity before executing privileged operations. Security professionals should consider this vulnerability as part of broader privilege escalation attack vectors that can lead to complete system compromise when combined with other exploitation techniques.

Mitigation strategies must focus on immediate software updates to versions 2026.6.9 or later where the authorization bypass has been patched. Organizations should also implement additional monitoring for unauthorized execution patterns and establish stricter input validation procedures for configured paths. Network segmentation and principle of least privilege enforcement can help limit the potential impact if exploitation occurs, while regular security audits should verify that proper access controls remain in place. The vulnerability underscores the importance of robust authorization frameworks and proper input validation to prevent attackers from exploiting trust relationships within software systems.

Responsible

VulnCheck

Reservation

07/13/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!