CVE-2026-32898 in OpenClaw
Summary
by MITRE • 03/21/2026
OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive approval prompts for read-class operations by spoofing tool metadata or using non-core read-like names to reach auto-approve paths.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified as CVE-2026-32898 represents a critical authorization bypass flaw within the OpenClaw framework affecting versions prior to 2026.2.23. This security weakness specifically targets the ACP client component responsible for managing tool call approvals and authorization decisions. The flaw stems from insufficient validation of tool call metadata and overly permissive naming conventions that allow malicious actors to manipulate the approval process without proper authorization. The vulnerability operates at the intersection of trust boundaries where legitimate tool calls are automatically approved based on metadata attributes that should require human verification or additional authentication layers.
The technical implementation of this vulnerability exploits the trust model embedded within the ACP client's approval logic. The system auto-approves tool calls when the toolCall.kind metadata contains specific values or when the tool name matches predetermined patterns that are considered safe or read-class operations. This heuristic-based approach creates a dangerous attack surface where adversaries can craft tool call requests with spoofed metadata or select tool names that match the permissive naming heuristics. The vulnerability manifests through the manipulation of the toolCall.kind field and tool name attributes that should normally trigger interactive approval prompts requiring human intervention. This design flaw allows attackers to bypass the intended security controls that are meant to prevent unauthorized access to sensitive operations.
The operational impact of this vulnerability extends beyond simple unauthorized access to potentially enable more sophisticated attacks within the OpenClaw environment. An attacker who successfully exploits this vulnerability can perform read-class operations without proper authorization, potentially accessing sensitive data or system information that should require explicit approval. The auto-approval mechanism creates a pathway for attackers to escalate privileges or gain access to resources that would normally require human verification or additional authentication. This vulnerability particularly affects scenarios where the ACP client serves as a gatekeeper for tool execution and resource access, potentially allowing unauthorized data exfiltration or system reconnaissance activities. The impact is amplified because the bypass occurs at the authorization layer rather than at the execution or access control level, making it difficult to detect through traditional monitoring approaches.
Security controls for this vulnerability should focus on strengthening metadata validation and implementing more robust authorization decision-making processes within the ACP client. The recommended mitigation includes enforcing strict validation of toolCall.kind metadata attributes to ensure they originate from trusted sources and contain expected values. Additionally, the permissive name heuristics should be replaced with more stringent validation rules that require explicit approval for tool names that could potentially be used to bypass security controls. Organizations should implement proper logging and monitoring of tool call approvals to detect anomalous patterns that may indicate exploitation attempts. The solution aligns with security principle of least privilege and defense in depth, ensuring that automated approval processes cannot be easily circumvented through metadata manipulation. This vulnerability demonstrates the importance of validating all inputs and not relying solely on heuristic approaches for security decisions.
This vulnerability maps to CWE-285, which addresses authorization bypass issues in software systems, and aligns with ATT&CK technique T1078 for valid accounts and T1566 for spearphishing. The flaw represents a classic case of insufficient input validation combined with overly permissive access control logic. The attack vector leverages the trust model within the system where legitimate tool call metadata is not properly verified before triggering automatic approval mechanisms. The security implications extend to potential data exposure and unauthorized access to system resources that should remain protected through proper authorization controls. Organizations implementing OpenClaw systems should prioritize upgrading to version 2026.2.23 or later where this vulnerability has been addressed through improved metadata validation and stricter approval processes. The remediation process should include comprehensive testing of the updated authorization mechanisms to ensure that legitimate tool calls continue to function properly while preventing the bypass scenarios described in the vulnerability.