CVE-2026-28477
OpenClaw < 2026.2.14 - OAuth State Validation Bypass in Manual Chutes Login Flow
CVSS Score
7.1
EPSS Score
0.0%
EPSS Percentile
0th
OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token persistence for unauthorized accounts.
| CWE | CWE-352 |
| Vendor | openclaw |
| Product | openclaw |
| Published | Mar 5, 2026 |
| Last Updated | Mar 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for openclaw openclaw
Be the first to know when new high vulnerabilities affecting openclaw openclaw are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
Affected Versions
OpenClaw / OpenClaw
0 < 2026.2.14
References
github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-7rcp-mxpq-72pj github.com: https://github.com/openclaw/openclaw/commit/a99ad11a4107ba8eac58f54a3c1a8a0cf5686f47 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-oauth-state-validation-bypass-in-manual-chutes-login-flow
Credits
๐ Aether AI (@aether-ai-agent)