CVE-2026-28477

HIGH

OpenClaw <2026.2.14 - Auth Bypass

Title source: llm

Description

OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token persistence for unauthorized accounts.

References (3)

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-7rcp-mxpq-72pj

[Patch] https://github.com/openclaw/openclaw/commit/a99ad11a4107ba8eac58f54a3c1a8a0cf5686f47

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-oauth-state-validation-bypass-in-manual-chutes-login-flow

Scores

CVSS v3 7.1

EPSS 0.0002

EPSS Percentile 4.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (2)

npm/openclaw 0 - 2026.2.14npm

openclaw/openclaw < 2026.2.14

Published Mar 05, 2026

Tracked Since Mar 06, 2026