9 matches found
CVE-2026-28477
OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token...
CVE-2026-28477 OpenClaw < 2026.2.14 - OAuth State Validation Bypass in Manual Chutes Login Flow
OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token...
CVE-2026-28477
OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token...
CVE-2026-28477 OpenClaw < 2026.2.14 - OAuth State Validation Bypass in Manual Chutes Login Flow
OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token...
CVE-2026-28477
CVE-2026-28477 affects OpenClaw. The vulnerability is an OAuth state validation bypass in the manual Chutes login flow, enabling an attacker to substitute credentials and persist tokens for unauthorized accounts by tricking a user into pasting attacker-controlled OAuth callback data. Impact is cr...
Cross-site Request Forgery (CSRF)
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the manual OAuth login flow. An attacker can cause credential substitution by convincing a user to paste attacker-controlled OAuth callback data,...
GHSA-7RCP-MXPQ-72PJ OpenClaw Chutes manual OAuth state validation bypass can cause credential substitution
Summary The manual Chutes OAuth login flow could accept attacker-controlled callback input in a way that bypassed OAuth CSRF state validation, potentially resulting in credential substitution. Impact If an attacker can convince a user to paste attacker-provided OAuth callback data during the manu...
OpenClaw Chutes manual OAuth state validation bypass can cause credential substitution
Summary The manual Chutes OAuth login flow could accept attacker-controlled callback input in a way that bypassed OAuth CSRF state validation, potentially resulting in credential substitution. Impact If an attacker can convince a user to paste attacker-provided OAuth callback data during the manu...
PT-2026-23552
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 Description The manual Chutes OAuth login flow in OpenClaw is susceptible to a bypass of OAuth CSRF state validation. This allows an attacker to bypass CSRF protection by convincing a user to paste...