CVE-2026-28477

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14

Description The manual Chutes OAuth login flow in OpenClaw is susceptible to a bypass of OAuth CSRF state validation. This allows an attacker to bypass CSRF protection by convincing a user to paste attacker-controlled OAuth callback data, potentially leading to credential substitution and the persistence of tokens for unauthorized accounts. The automatic local callback flow is not affected.

Recommendations Update to version 2026.2.14 or later.