Incorrect Permission Assignment for Critical Resource Affecting openclaw package, versions >=2026.5.20 <2026.6.6


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.23% (14th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-OPENCLAW-17970568
  • published14 Jul 2026
  • disclosed14 Jul 2026
  • creditUnknown

Introduced: 14 Jul 2026

NewCVE-2026-62195  (opens in a new tab)
CWE-732  (opens in a new tab)

How to fix?

Upgrade openclaw to version 2026.6.6 or higher.

Overview

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the MCP loopback process. An attacker can gain unauthorized access to owner-level tools by exploiting configured input paths to execute or persist actions beyond their intended permissions.

CVSS Base Scores

version 4.0
version 3.1