CVE-2026-32898

描述

## Vulnerability Summary The OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations. ## Affected Packages / Versions - Package: npm `openclaw` - Affected published versions: `<= 2026.2.22-2` (latest published as of February 24, 2026 is `2026.2.22-2`) - Patched in code on `main`: `2026.2.23` (released) ## Technical Details - Permission classification trusted incoming `toolCall.kind` and heuristic name matching. - Non-core read-like names and spoofed kind metadata could reach auto-approve paths. - `read` operations were not scoped strongly enough to cwd in all metadata/title forms. ## Fix - Require trusted core tool IDs for auto-approval and ignore untrusted `toolCall.kind` as an authorization source. - Scope `read` auto-approval to cwd-resolved paths. - Add stricter tool-name validation and regression coverage for spoofed kind and non-core read-like names. ## Affected Functions - `resolvePermissionRequest` - `resolveToolNameForPermission` - `shouldAutoApproveToolCall` ## Fix Commit(s) - `12cc754332f9a7c92e158ce7644aa22df79c0904` - `63dcd28ae0be2de1c75af09cc81841cebeec068f` Found using [MCPwner](https://github.com/Pigyon/MCPwner) Thanks @nedlir for reporting.

受影響套件(1)

• npm/openclawfrom 0, < 2026.2.23

CVSS 分數

參考連結(7)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32898
• PATCHhttps://github.com/openclaw/openclaw
• WEBhttps://github.com/openclaw/openclaw/commit/12cc754332f9a7c92e158ce7644aa22df79c0904
• WEBhttps://github.com/openclaw/openclaw/commit/63dcd28ae0be2de1c75af09cc81841cebeec068f
• WEBhttps://github.com/openclaw/openclaw/releases/tag/v2026.2.23
• WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-7jx5-9fjg-hp4m
• WEBhttps://www.vulncheck.com/advisories/openclaw-acp-permission-auto-approval-bypass-via-untrusted-tool-metadata