OpenClaw Authorization Bypass Vulnerability in ACP Client

A vulnerability allowing authorization bypass in the OpenClaw ACP client has been identified in versions prior to 2026.2.23. This vulnerability allows tool calls to be auto-approved based on untrusted metadata and lenient name heuristics. Attackers can exploit this by spoofing tool metadata or using non-core read-like names to bypass interactive approval prompts for read-class operations.

Impact

Exploitation of this vulnerability allows for unauthorized auto-approval of tool calls in the ACP client, bypassing expected interactive permission prompts, particularly for read-class operations.

Reproduction

The vulnerability can be reproduced by sending a tool call through the ACP client that includes spoofed metadata or non-core read-like names. This can be done by manipulating the 'toolCall.kind' metadata to mimic a trusted tool kind or by using tool names that are not recognized as core tools but are interpreted as read-related. Once the call is made, the absence of a prompt approval indicates successful exploitation.

Remediation

Users can update to OpenClaw version 2026.2.23 or later, where this vulnerability has been patched. The update includes changes to the permission auto-approval policy, requiring trusted core tool IDs and scoping read approvals to the active working directory.