Description
OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive approval prompts for read-class operations by spoofing tool metadata or using non-core read-like names to reach auto-approve paths.
Published: 2026-03-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Apply Patch
AI Analysis

Impact

OpenClaw versions before 2026.2.23 contain an authorization bypass in the ACP client that auto‑approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. An attacker can spoof the tool metadata or supply non‑core read‑like names to trigger auto‑approve paths, thereby bypassing the interactive approval prompts for read‑class operations. The consequence is the ability to perform unauthorized read operations that the user would normally have to confirm, potentially exposing sensitive data. The weakness aligns with a privilege‑check bypass, classified as CWE‑807.

Affected Systems

The affected product is OpenClaw from the OpenClaw vendor. All releases prior to version 2026.2.23 are impacted; upgrading to 2026.2.23 or later resolves the issue.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity vulnerability. EPSS data is unavailable, and the vulnerability is not listed in KEV, suggesting no known widespread exploitation yet. Nevertheless, the flaw can be exploited remotely by submitting a crafted toolCall with malicious or fabricated kind metadata. The requirements are minimal – access to submit tool calls – and the attacker can achieve unauthorized data reads without overcoming interactive prompts. Due to the moderate severity and potential for data leakage, it is advisable to remediate promptly.

Generated by OpenCVE AI on March 21, 2026 at 06:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenClaw to version 2026.2.23 or later, which contains the upstream patch for the authorization bypass.
  • Verify that toolCall.kind metadata is strictly validated against trusted sources before auto‑approval is granted.

Generated by OpenCVE AI on March 21, 2026 at 06:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7jx5-9fjg-hp4m OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata
History

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive approval prompts for read-class operations by spoofing tool metadata or using non-core read-like names to reach auto-approve paths.
Title OpenClaw < 2026.2.23 - ACP Permission Auto-Approval Bypass via Untrusted Tool Metadata
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-807
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T17:26:26.267Z

Reserved: 2026-03-16T21:18:44.711Z

Link: CVE-2026-32898

cve-icon Vulnrichment

Updated: 2026-03-23T17:26:22.497Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-21T01:17:10.870

Modified: 2026-03-24T21:07:15.300

Link: CVE-2026-32898

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:47Z

Weaknesses