CVE-2026-32898

OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive approval prompts for read-class operations by spoofing tool metadata or using non-core read-like names to reach auto-approve paths.

OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive approval prompts for read-class operations by spoofing tool metadata or using non-core read-like names to reach auto-approve paths.

## Vulnerability Summary The OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations. ## Affected Packages / Versions - Package: npm `openclaw` - Affected published versions: `<= 2026.2.22-2` (latest published as of February 24, 2026 is `2026.2.22-2`) - Patched in code on `main`: `2026.2.23` (released) ## Technical Details - Permission classification trusted incoming `toolCall.kind` and heuristic name matching. - Non-core read-like names and spoofed kind metadata could reach auto-approve paths. - `read` operations were not scoped strongly enough to cwd in all metadata/title forms. ## Fix - Require trusted core tool IDs for auto-approval and ignore untrusted `toolCall.kind` as an authorization source. - Scope `read` auto-approval to cwd-resolved paths. - Add stricter tool-name validation and regression coverage for spoofed kind and non-core read-like names. ## Affected Functions - `resolvePermissionRequest` - `resolveToolNameForPermission` - `shouldAutoApproveToolCall` ## Fix Commit(s) - `12cc754332f9a7c92e158ce7644aa22df79c0904` - `63dcd28ae0be2de1c75af09cc81841cebeec068f` Found using [MCPwner](https://github.com/Pigyon/MCPwner) Thanks @nedlir for reporting.

## Vulnerability Summary The OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations. ## Affected Packages / Versions - Package: npm `openclaw` - Affected published versions: `<= 2026.2.22-2` (latest published as of February 24, 2026 is `2026.2.22-2`) - Patched in code on `main`: `2026.2.23` (released) ## Technical Details - Permission classification trusted incoming `toolCall.kind` and heuristic name matching. - Non-core read-like names and spoofed kind metadata could reach auto-approve paths. - `read` operations were not scoped strongly enough to cwd in all metadata/title forms. ## Fix - Require trusted core tool IDs for auto-approval and ignore untrusted `toolCall.kind` as an authorization source. - Scope `read` auto-approval to cwd-resolved paths. - Add stricter tool-name validation and regression coverage for spoofed kind and non-core read-like names. ## Affected Functions - `resolvePermissionRequest` - `resolveToolNameForPermission` - `shouldAutoApproveToolCall` ## Fix Commit(s) - `12cc754332f9a7c92e158ce7644aa22df79c0904` - `63dcd28ae0be2de1c75af09cc81841cebeec068f` Found using [MCPwner](https://github.com/Pigyon/MCPwner) Thanks @nedlir for reporting.

Las versiones de OpenClaw anteriores a 2026.2.23 contienen una vulnerabilidad de omisión de autorización en el cliente ACP que auto-aprueba las llamadas a herramientas basándose en metadatos toolCall.kind no confiables y heurísticas de nombres permisivas. Los atacantes pueden omitir las solicitudes de aprobación interactivas para operaciones de clase de lectura suplantando metadatos de herramientas o utilizando nombres similares a lectura no centrales para alcanzar rutas de auto-aprobación.