{"data":{"id":"aba4ad3b-ea8f-483c-86b4-e22c7f0c93af","title":"GHSA-7rcp-mxpq-72pj: OpenClaw Chutes manual OAuth state validation bypass can cause credential substitution","summary":"OpenClaw's manual OAuth login flow (a way to securely connect accounts using a third-party service) had a vulnerability where it didn't properly validate a security token called 'state', which could allow attackers to trick users into logging in with the wrong account. The automatic login flow was not affected by this issue.","solution":"The manual flow now requires the full redirect URL (must include both the authorization code and state parameter), validates the returned state against the expected value, and rejects code-only pastes. This fix is available in openclaw version 2026.2.14 and later (commit a99ad11a4107ba8eac58f54a3c1a8a0cf5686f47).","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-7rcp-mxpq-72pj","publishedAt":"2026-02-18T17:41:00.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["other"],"issueType":"vulnerability","affectedPackages":["openclaw@< 2026.2.14 (fixed: 2026.2.14)"],"affectedVendors":[],"affectedVendorsRaw":["OpenClaw","Chutes"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}