PT-2026-24171 · Npm · Openclaw

Published

2026-02-27

·

Updated

2026-02-27

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Vulnerability Summary

The OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations.

Affected Packages / Versions

  • Package: npm openclaw
  • Affected published versions: <= 2026.2.22-2 (latest published as of February 24, 2026 is 2026.2.22-2)
  • Patched in code on main: 2026.2.23 (released)

Technical Details

  • Permission classification trusted incoming toolCall.kind and heuristic name matching.
  • Non-core read-like names and spoofed kind metadata could reach auto-approve paths.
  • read operations were not scoped strongly enough to cwd in all metadata/title forms.

Fix

  • Require trusted core tool IDs for auto-approval and ignore untrusted toolCall.kind as an authorization source.
  • Scope read auto-approval to cwd-resolved paths.
  • Add stricter tool-name validation and regression coverage for spoofed kind and non-core read-like names.

Affected Functions

  • resolvePermissionRequest
  • resolveToolNameForPermission
  • shouldAutoApproveToolCall

Fix Commit(s)

  • 12cc754332f9a7c92e158ce7644aa22df79c0904
  • 63dcd28ae0be2de1c75af09cc81841cebeec068f
Found using MCPwner
Thanks @nedlir for reporting.

Fix

IDOR

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-639CWE-863

Related Identifiers

GHSA-7JX5-9FJG-HP4M

Affected Products

Openclaw