CVE-2026-28477 Overview
OpenClaw versions prior to 2026.2.14 contain an OAuth state validation bypass vulnerability in the manual Chutes login flow. This Cross-Site Request Forgery (CSRF) vulnerability allows attackers to bypass CSRF protection mechanisms by convincing users to paste attacker-controlled OAuth callback data. Successful exploitation enables credential substitution and token persistence for unauthorized accounts, potentially compromising user authentication sessions.
Critical Impact
Attackers can exploit this OAuth state validation bypass to perform credential substitution attacks, enabling unauthorized access to user accounts through manipulated OAuth callback data.
Affected Products
- OpenClaw versions prior to 2026.2.14
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-28477 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28477
Vulnerability Analysis
This vulnerability (CWE-352: Cross-Site Request Forgery) exists in the OAuth authentication flow within OpenClaw's Chutes login mechanism. The core issue stems from improper validation of the OAuth state parameter during manual authentication flows, which is designed to prevent CSRF attacks during OAuth redirects.
In vulnerable versions, the application permitted users to paste only the authorization code without the accompanying state parameter, effectively bypassing the CSRF protection that the state parameter provides. This design decision prioritized user convenience over security, allowing attackers to substitute their own OAuth callback data into a victim's authentication session.
Root Cause
The root cause lies in the parseOAuthCallbackInput function within src/agents/chutes-oauth.ts. The vulnerable implementation accepted bare authorization codes without state validation when users pasted content that didn't match a full URL format. The code path explicitly allowed "code-only paste" scenarios, assuming user consent mitigated the CSRF risk. However, this assumption is flawed because users can be socially engineered into pasting attacker-controlled data without understanding the security implications.
Attack Vector
The attack requires network access and user interaction. An attacker can craft malicious OAuth callback data and convince a target user to paste this data into the manual Chutes login prompt. Since the vulnerable code accepted authorization codes without validating the corresponding state parameter, the attacker's credentials could be substituted into the victim's session, enabling:
- Unauthorized account access through credential substitution
- Persistent token theft for long-term unauthorized access
- Session hijacking through OAuth flow manipulation
// Security patch from src/agents/chutes-oauth.ts
// Source: https://github.com/openclaw/openclaw/commit/a99ad11a4107ba8eac58f54a3c1a8a0cf5686f47
return { error: "No input provided" };
}
+ // Manual flow must validate CSRF state; require URL (or querystring) that includes `state`.
+ let url: URL;
try {
- const url = new URL(trimmed);
- const code = url.searchParams.get("code");
- const state = url.searchParams.get("state");
- if (!code) {
- return { error: "Missing 'code' parameter in URL" };
- }
- if (!state) {
- return { error: "Missing 'state' parameter. Paste the full URL (or just the code)." };
- }
- if (state !== expectedState) {
- return { error: "OAuth state mismatch - possible CSRF attack. Please retry login." };
- }
- return { code, state };
+ url = new URL(trimmed);
} catch {
- // Manual flow: users often paste only the authorization code.
- // In that case we can't validate state, but the user is explicitly opting in by pasting it.
- if (!/\s/.test(trimmed) && !trimmed.includes("://") && trimmed.length > 0) {
- return { code: trimmed, state: expectedState };
+ // Code-only paste (common) is no longer accepted because it defeats state validation.
+ if (
+ !/\s/.test(trimmed) &&
+ !trimmed.includes("://") &&
+ !trimmed.includes("?") &&
The patch enforces strict state validation by requiring the full redirect URL containing both code and state parameters, eliminating the vulnerable code-only paste pathway.
Detection Methods for CVE-2026-28477
Indicators of Compromise
- Unusual OAuth authentication patterns with missing or mismatched state parameters
- Multiple failed OAuth state validation errors followed by successful authentications
- Authentication events from unexpected geographic locations or IP addresses after OAuth flow completion
- Session tokens created with inconsistent OAuth callback origins
Detection Strategies
- Monitor authentication logs for OAuth callbacks that lack state parameters or contain state mismatches
- Implement anomaly detection for users authenticating through manual OAuth flows with unusually formatted callback data
- Alert on OAuth authentication events where the state parameter validation was bypassed or not performed
- Track authentication flows where authorization codes are submitted without corresponding state values
Monitoring Recommendations
- Enable verbose logging for OAuth authentication flows in OpenClaw deployments
- Configure SIEM rules to correlate OAuth callback events with user session creation
- Monitor for social engineering indicators such as users reporting suspicious instructions to paste data into login prompts
- Review authentication audit logs for patterns consistent with credential substitution attacks
How to Mitigate CVE-2026-28477
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.14 or later immediately
- Review recent OAuth authentication logs for signs of exploitation
- Invalidate and regenerate OAuth tokens for users who may have been affected
- Educate users about the risks of pasting external data into authentication prompts
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.2.14. The security patch modifies the OAuth callback parsing logic to require full redirect URLs containing both code and state parameters, ensuring proper CSRF validation in all authentication flows. The fix is available in commit a99ad11.
Additional resources:
Workarounds
- Disable manual OAuth code entry functionality until patching is complete
- Enforce automated OAuth redirect flows only, preventing manual callback data input
- Implement network-level controls to restrict OAuth callback endpoints to trusted redirect URIs
- Deploy web application firewall rules to validate OAuth state parameters at the network edge
# Configuration example - Disable manual OAuth code entry (if supported)
# Update OpenClaw configuration to enforce strict OAuth flow
export OPENCLAW_OAUTH_STRICT_MODE=true
export OPENCLAW_DISABLE_MANUAL_CODE_ENTRY=true
# Restart OpenClaw service to apply changes
systemctl restart openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
