Vulnerability Details CVE-2026-28477
OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token persistence for unauthorized accounts.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 4.9%
CVSS Severity
CVSS v3 Score 7.1
References
Products affected by CVE-2026-28477
-
cpe:2.3:a:openclaw:openclaw:0.1.0
-
cpe:2.3:a:openclaw:openclaw:0.1.1
-
cpe:2.3:a:openclaw:openclaw:0.1.2
-
cpe:2.3:a:openclaw:openclaw:0.1.3
-
cpe:2.3:a:openclaw:openclaw:1.0.4
-
cpe:2.3:a:openclaw:openclaw:1.1.0
-
cpe:2.3:a:openclaw:openclaw:1.2.0
-
cpe:2.3:a:openclaw:openclaw:1.2.1
-
cpe:2.3:a:openclaw:openclaw:1.2.2
-
cpe:2.3:a:openclaw:openclaw:1.3.0
-
cpe:2.3:a:openclaw:openclaw:2.0.0
-
cpe:2.3:a:openclaw:openclaw:2026.1.10
-
cpe:2.3:a:openclaw:openclaw:2026.1.11
-
cpe:2.3:a:openclaw:openclaw:2026.1.11-1
-
cpe:2.3:a:openclaw:openclaw:2026.1.11-2
-
cpe:2.3:a:openclaw:openclaw:2026.1.11-3
-
cpe:2.3:a:openclaw:openclaw:2026.1.11-4
-
cpe:2.3:a:openclaw:openclaw:2026.1.111
-
cpe:2.3:a:openclaw:openclaw:2026.1.112
-
cpe:2.3:a:openclaw:openclaw:2026.1.113
-
cpe:2.3:a:openclaw:openclaw:2026.1.12
-
cpe:2.3:a:openclaw:openclaw:2026.1.12-1
-
cpe:2.3:a:openclaw:openclaw:2026.1.12-2
-
cpe:2.3:a:openclaw:openclaw:2026.1.122
-
cpe:2.3:a:openclaw:openclaw:2026.1.13
-
cpe:2.3:a:openclaw:openclaw:2026.1.14-1
-
cpe:2.3:a:openclaw:openclaw:2026.1.141
-
cpe:2.3:a:openclaw:openclaw:2026.1.15
-
cpe:2.3:a:openclaw:openclaw:2026.1.16-1
-
cpe:2.3:a:openclaw:openclaw:2026.1.16-2
-
cpe:2.3:a:openclaw:openclaw:2026.1.162
-
cpe:2.3:a:openclaw:openclaw:2026.1.20
-
cpe:2.3:a:openclaw:openclaw:2026.1.20-1
-
cpe:2.3:a:openclaw:openclaw:2026.1.20-2
-
cpe:2.3:a:openclaw:openclaw:2026.1.21
-
cpe:2.3:a:openclaw:openclaw:2026.1.21-1
-
cpe:2.3:a:openclaw:openclaw:2026.1.21-2
-
cpe:2.3:a:openclaw:openclaw:2026.1.22
-
cpe:2.3:a:openclaw:openclaw:2026.1.23
-
cpe:2.3:a:openclaw:openclaw:2026.1.23-1
-
cpe:2.3:a:openclaw:openclaw:2026.1.24
-
cpe:2.3:a:openclaw:openclaw:2026.1.24-1
-
cpe:2.3:a:openclaw:openclaw:2026.1.24-2
-
cpe:2.3:a:openclaw:openclaw:2026.1.24-3
-
cpe:2.3:a:openclaw:openclaw:2026.1.241
-
cpe:2.3:a:openclaw:openclaw:2026.1.29
-
cpe:2.3:a:openclaw:openclaw:2026.1.30
-
cpe:2.3:a:openclaw:openclaw:2026.1.4
-
cpe:2.3:a:openclaw:openclaw:2026.1.4-1
-
cpe:2.3:a:openclaw:openclaw:2026.1.5
-
cpe:2.3:a:openclaw:openclaw:2026.1.5-1
-
cpe:2.3:a:openclaw:openclaw:2026.1.5-2
-
cpe:2.3:a:openclaw:openclaw:2026.1.5-3
-
cpe:2.3:a:openclaw:openclaw:2026.1.51
-
cpe:2.3:a:openclaw:openclaw:2026.1.52
-
cpe:2.3:a:openclaw:openclaw:2026.1.53
-
cpe:2.3:a:openclaw:openclaw:2026.1.8
-
cpe:2.3:a:openclaw:openclaw:2026.1.8-1
-
cpe:2.3:a:openclaw:openclaw:2026.1.8-2
-
cpe:2.3:a:openclaw:openclaw:2026.1.9
-
cpe:2.3:a:openclaw:openclaw:2026.2.0
-
cpe:2.3:a:openclaw:openclaw:2026.2.1
-
cpe:2.3:a:openclaw:openclaw:2026.2.12
-
cpe:2.3:a:openclaw:openclaw:2026.2.13
-
cpe:2.3:a:openclaw:openclaw:2026.2.2
-
cpe:2.3:a:openclaw:openclaw:2026.2.2-1
-
cpe:2.3:a:openclaw:openclaw:2026.2.2-2
-
cpe:2.3:a:openclaw:openclaw:2026.2.2-3
-
cpe:2.3:a:openclaw:openclaw:2026.2.3
-
cpe:2.3:a:openclaw:openclaw:2026.2.3-1
-
cpe:2.3:a:openclaw:openclaw:2026.2.6
-
cpe:2.3:a:openclaw:openclaw:2026.2.6-1
-
cpe:2.3:a:openclaw:openclaw:2026.2.6-2
-
cpe:2.3:a:openclaw:openclaw:2026.2.6-3
-
cpe:2.3:a:openclaw:openclaw:2026.2.9