Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
OpenClaw ACP Client Allows Unauthorized Access to Sensitive Data
CVE-2026-32898
Summary
Old versions of OpenClaw's ACP client don't properly check who is making requests, allowing attackers to access sensitive data without being authorized. This is a significant concern because it can lead to unauthorized access to sensitive information. To protect your data, update to OpenClaw version 2026.2.23 or later.
Original title
OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heur...
Original description
OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive approval prompts for read-class operations by spoofing tool metadata or using non-core read-like names to reach auto-approve paths.
nvd CVSS3.1
5.4
nvd CVSS4.0
5.3
Vulnerability type
CWE-807
- https://github.com/openclaw/openclaw/commit/12cc754332f9a7c92e158ce7644aa22df79c...
- https://github.com/openclaw/openclaw/commit/63dcd28ae0be2de1c75af09cc81841cebeec...
- https://github.com/openclaw/openclaw/security/advisories/GHSA-7jx5-9fjg-hp4m
- https://www.vulncheck.com/advisories/openclaw-acp-permission-auto-approval-bypas...
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026