CVE-2026-28477

HIGH

OpenClaw <2026.2.14 - Auth Bypass

Title source: llm

Description

OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token persistence for unauthorized accounts.

References (3)

[Patch] https://github.com/openclaw/openclaw/commit/a99ad11a4107ba8eac58f54a3c1a8a0cf5686f47

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-7rcp-mxpq-72pj

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-oauth-state-validation-bypass-in-manual-chutes-login-flow

Scores

CVSS v3 7.1

EPSS 0.0001

EPSS Percentile 2.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Classification

CWE

CWE-352

Status draft

Affected Products (1)

npm/openclaw < 2026.2.14npm

Timeline

Published Mar 05, 2026

Tracked Since Mar 06, 2026