CVE-2026-28477

HIGH WAF: Low
CVSS 7.1 Published: 2026-03-05
CWE-352

OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token persistence for unauthorized accounts.

WAF Coverage Analysis

Cross-Site Request Forgery (CSRF) Low WAF Coverage

OWASP: A01:2021 Broken Access Control

Affected Software

VendorProductVersion
openclawopenclawup to 2026.2.14

References

Back to CVE Database