OpenClaw OAuth State Validation Bypass Vulnerability in Manual Chutes Login Flow
Vulnerability
A vulnerability exists in OpenClaw versions prior to 2026.2.14, allowing for an OAuth state validation bypass in the manual Chutes login process. This flaw enables attackers to circumvent Cross-Site Request Forgery (CSRF) protection. By persuading a user to input OAuth callback data controlled by the attacker, it becomes possible to substitute credentials and persist tokens for unauthorized accounts.
Impact
Exploitation of this vulnerability allows for Cross-Site Request Forgery (CSRF) attacks, where an attacker can manipulate OAuth state validation, leading to unauthorized access and token persistence for Chutes accounts.
Reproduction
To reproduce this vulnerability, use OpenClaw version 2026.2.13 or earlier and initiate the manual Chutes OAuth login flow. During the process, paste an OAuth callback URL that omits the state parameter or includes a mismatched state. This will bypass the CSRF protection and allow the application to accept the authorization code, which can then be used to obtain tokens for an unauthorized account.
Remediation
Users can update to OpenClaw version 2026.2.14 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.