EUVD-2026-21623

OpenClaw Client PKCE Verifier Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose stored credentials on affected installations of OpenClaw. User interaction is required to exploit this vulnerability in that the target must initiate an OAuth authorization...

PT-2026-29057

Name of the Vulnerable Software and Affected Versions OpenClaw affected versions not specified Description An issue exists in OpenClaw that allows remote attackers to disclose stored credentials. User interaction is required, specifically the target must initiate an OAuth authorization flow. The...

Duplicate Advisory: OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7jx5-9fjg-hp4m. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approv...

GHSA-7JX5-9FJG-HP4M OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata

Vulnerability Summary The OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations. Affected Packages / Versions -...