CVE-2026-28477
MEDIUM5.9EPSS 0.02%OpenClaw Chutes manual OAuth state validation bypass can cause credential substitution
描述
## Summary The manual Chutes OAuth login flow could accept attacker-controlled callback input in a way that bypassed OAuth CSRF state validation, potentially resulting in credential substitution. ## Impact If an attacker can convince a user to paste attacker-provided OAuth callback data during the manual login prompt, OpenClaw may exchange an attacker-obtained authorization code and persist tokens for the wrong Chutes account. The automatic local callback flow is not affected (it validates state in the local HTTP callback handler). ## Affected Packages / Versions - `openclaw` (npm): `<= 2026.2.13` when using the manual Chutes OAuth login flow. ## Fix The manual flow now requires the full redirect URL (must include `code` and `state`), validates the returned `state` against the expected value, and rejects code-only pastes. ## Fix Commit(s) - a99ad11a4107ba8eac58f54a3c1a8a0cf5686f47 Thanks @aether-ai-agent for reporting.
受影響套件(1)
- npm/openclawfrom 0, < 2026.2.14
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-28477
- PATCHhttps://github.com/openclaw/openclaw
- WEBhttps://github.com/openclaw/openclaw/commit/a99ad11a4107ba8eac58f54a3c1a8a0cf5686f47
- WEBhttps://github.com/openclaw/openclaw/releases/tag/v2026.2.14
- WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-7rcp-mxpq-72pj
- WEBhttps://www.vulncheck.com/advisories/openclaw-oauth-state-validation-bypass-in-manual-chutes-login-flow