CVE-2026-28477 OpenClaw — Exploit & Vulnerability Details MEDIUM

Parameter	Value
CVSS	5.9 (MEDIUM)
Affected Versions	before 2026.2.14
Type	CWE-352 (Cross-Site Request Forgery (CSRF) (Подделка межсайтовых запросов))
Vendor	OpenClaw
Public PoC	No

OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token persistence for unauthorized accounts.

Attack Parameters

Attack Vector

Network

Атака возможна удалённо

Attack Complexity

Low

Легко эксплуатировать

Attack Requirements

Present

Нужны дополнительные условия

Privileges Required

None

Права не нужны

User Interaction

Active

Нужно действие пользователя

Impact Assessment

Confidentiality

High

Полная утечка данных

Integrity

Low

Частичная модификация данных

Availability

None

Нет нарушения работы

CVSS Vector v4.0

Weakness Type (CWE)

CWE-352 Cross-Site Request Forgery (CSRF) (Подделка межсайтовых запросов)

References 3

https://github.com/openclaw/openclaw/commit/a99ad11a4107ba8eac58f54a3c1a8a0cf56…

disclosure@vulncheck.com

https://github.com/openclaw/openclaw/security/advisories/GHSA-7rcp-mxpq-72pj

disclosure@vulncheck.com

https://www.vulncheck.com/advisories/openclaw-oauth-state-validation-bypass-in-…

disclosure@vulncheck.com

Menu

CVE-2026-28477

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

References 3

CVE Details

Editor's Choice