CVE-2026-28477
Published: 05 March 2026
Summary
CVE-2026-28477 is a high-severity CSRF (CWE-352) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Detects anomalous request patterns consistent with cross-site request forgery.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OAuth state bypass in public-facing web app login flow enables remote exploitation (T1190) leading to credential substitution and unauthorized session/resource access via valid accounts (T1078).
NVD Description
OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution…
more
and token persistence for unauthorized accounts.
Deeper analysisAI
CVE-2026-28477 is an OAuth state validation bypass vulnerability affecting OpenClaw versions prior to 2026.2.14, specifically in the manual Chutes login flow. This issue allows attackers to circumvent CSRF protection (CWE-352) by failing to properly validate OAuth state parameters. Published on 2026-03-05, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N), indicating a high confidentiality impact with low complexity and user interaction required.
Remote attackers require no privileges to exploit this vulnerability by convincing victims to paste attacker-controlled OAuth callback data into the login flow. Successful attacks enable credential substitution, where the attacker's account credentials replace the user's, and token persistence for unauthorized access to the victim's session or resources.
Advisories recommend upgrading to OpenClaw 2026.2.14 or later, which addresses the issue via a commit at https://github.com/openclaw/openclaw/commit/a99ad11a4107ba8eac58f54a3c1a8a0cf5686f47. Further details on the vulnerability and remediation are provided in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-7rcp-mxpq-72pj and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-oauth-state-validation-bypass-in-manual-chutes-login-flow.
Details
- CWE(s)