CVE-2026-32898
OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata
Description
## Vulnerability Summary The OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations. ## Affected Packages / Versions - Package: npm `openclaw` - Affected published versions: `<= 2026.2.22-2` (latest published as of February 24, 2026 is `2026.2.22-2`) - Patched in code on `main`: `2026.2.23` (released) ## Technical Details - Permission classification trusted incoming `toolCall.kind` and heuristic name matching. - Non-core read-like names and spoofed kind metadata could reach auto-approve paths. - `read` operations were not scoped strongly enough to cwd in all metadata/title forms. ## Fix - Require trusted core tool IDs for auto-approval and ignore untrusted `toolCall.kind` as an authorization source. - Scope `read` auto-approval to cwd-resolved paths. - Add stricter tool-name validation and regression coverage for spoofed kind and non-core read-like names. ## Affected Functions - `resolvePermissionRequest` - `resolveToolNameForPermission` - `shouldAutoApproveToolCall` ## Fix Commit(s) - `12cc754332f9a7c92e158ce7644aa22df79c0904` - `63dcd28ae0be2de1c75af09cc81841cebeec068f` Found using [MCPwner](https://github.com/Pigyon/MCPwner) Thanks @nedlir for reporting.
How to fix CVE-2026-32898
To remediate CVE-2026-32898, upgrade the affected package to a fixed version below.
- —upgrade to 2026.2.23 or later
Is CVE-2026-32898 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2026.2.23