Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.0
OpenClaw ACP Client Fails to Verify Tool Permissions
GHSA-7jx5-9fjg-hp4m
Summary
The OpenClaw ACP client doesn't properly check permissions for certain tool calls, which could allow an attacker to bypass approval prompts for sensitive operations. This affects versions of OpenClaw ACP client before 2026.2.23. To fix this issue, update to version 2026.2.23 or later.
What to do
- Update steipete openclaw to version 2026.2.23.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.22-2 | 2026.2.23 |
Original title
OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata
Original description
## Vulnerability Summary
The OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations.
## Affected Packages / Versions
- Package: npm `openclaw`
- Affected published versions: `<= 2026.2.22-2` (latest published as of February 24, 2026 is `2026.2.22-2`)
- Patched in code on `main`: `2026.2.23` (released)
## Technical Details
- Permission classification trusted incoming `toolCall.kind` and heuristic name matching.
- Non-core read-like names and spoofed kind metadata could reach auto-approve paths.
- `read` operations were not scoped strongly enough to cwd in all metadata/title forms.
## Fix
- Require trusted core tool IDs for auto-approval and ignore untrusted `toolCall.kind` as an authorization source.
- Scope `read` auto-approval to cwd-resolved paths.
- Add stricter tool-name validation and regression coverage for spoofed kind and non-core read-like names.
## Affected Functions
- `resolvePermissionRequest`
- `resolveToolNameForPermission`
- `shouldAutoApproveToolCall`
## Fix Commit(s)
- `12cc754332f9a7c92e158ce7644aa22df79c0904`
- `63dcd28ae0be2de1c75af09cc81841cebeec068f`
Found using [MCPwner](https://github.com/Pigyon/MCPwner)
Thanks @nedlir for reporting.
The OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations.
## Affected Packages / Versions
- Package: npm `openclaw`
- Affected published versions: `<= 2026.2.22-2` (latest published as of February 24, 2026 is `2026.2.22-2`)
- Patched in code on `main`: `2026.2.23` (released)
## Technical Details
- Permission classification trusted incoming `toolCall.kind` and heuristic name matching.
- Non-core read-like names and spoofed kind metadata could reach auto-approve paths.
- `read` operations were not scoped strongly enough to cwd in all metadata/title forms.
## Fix
- Require trusted core tool IDs for auto-approval and ignore untrusted `toolCall.kind` as an authorization source.
- Scope `read` auto-approval to cwd-resolved paths.
- Add stricter tool-name validation and regression coverage for spoofed kind and non-core read-like names.
## Affected Functions
- `resolvePermissionRequest`
- `resolveToolNameForPermission`
- `shouldAutoApproveToolCall`
## Fix Commit(s)
- `12cc754332f9a7c92e158ce7644aa22df79c0904`
- `63dcd28ae0be2de1c75af09cc81841cebeec068f`
Found using [MCPwner](https://github.com/Pigyon/MCPwner)
Thanks @nedlir for reporting.
ghsa CVSS4.0
6.0
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
CWE-863
Incorrect Authorization
- https://github.com/openclaw/openclaw/security/advisories/GHSA-7jx5-9fjg-hp4m
- https://github.com/openclaw/openclaw/commit/12cc754332f9a7c92e158ce7644aa22df79c...
- https://github.com/openclaw/openclaw/commit/63dcd28ae0be2de1c75af09cc81841cebeec...
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.23
- https://github.com/advisories/GHSA-7jx5-9fjg-hp4m
Published: 27 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026