Authorization Bypass Vulnerability in OpenClaw Client for Tool Calls
CVE-2026-32898
5.3MEDIUM
What is CVE-2026-32898?
The OpenClaw ACP client prior to version 2026.2.23 is susceptible to an authorization bypass vulnerability. This issue allows attackers to bypass interactive approval prompts for read-class operations by utilizing untrusted toolCall.kind metadata. By exploiting permissive name heuristics, an attacker can manipulate tool metadata or use non-core names effectively, leading to unauthorized auto-approvals of tool actions.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
OpenClaw 0 < 2026.2.23
OpenClaw 2026.2.23
References
CVSS V4
Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
nedlir