GHSA-7rcp-mxpq-72pj: OpenClaw Chutes manual OAuth state validation bypass can cause credential substitution
Summary
OpenClaw's manual OAuth login flow (a way to securely connect accounts using a third-party service) had a vulnerability where it didn't properly validate a security token called 'state', which could allow attackers to trick users into logging in with the wrong account. The automatic login flow was not affected by this issue.
Solution / Mitigation
The manual flow now requires the full redirect URL (must include both the authorization code and state parameter), validates the returned state against the expected value, and rejects code-only pastes. This fix is available in openclaw version 2026.2.14 and later (commit a99ad11a4107ba8eac58f54a3c1a8a0cf5686f47).
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne
CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi
Original source: https://github.com/advisories/GHSA-7rcp-mxpq-72pj
First tracked: February 18, 2026 at 03:00 PM
Classified by LLM (prompt v3) · confidence: 75%