Executive Summary

CVE-2026-32898 is an authorization bypass vulnerability in the OpenClaw ACP client versions prior to 2026.2.23. The vulnerability arises because the client auto-approves permission requests for read-class operations based on untrusted tool metadata (specifically the toolCall.kind field) and permissive heuristics on tool names. Attackers can exploit this by spoofing the tool metadata or using non-core read-like operation names to bypass interactive approval prompts, gaining unauthorized access to resources.

The root cause is that the ACP client trusted the server-provided toolCall.kind metadata and used lenient name matching to auto-approve permission requests without sufficient validation or scoping. This allowed malicious or compromised tools to gain unauthorized read permissions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to files or data by bypassing the interactive approval prompts that are supposed to protect read-class operations. Attackers can exploit the auto-approval mechanism to perform read operations outside the intended scope, potentially accessing sensitive information without user consent.

Specifically, attackers can spoof tool metadata or use non-core read-like tool names to trick the ACP client into auto-approving permission requests, which may result in privilege escalation or unauthorized data disclosure.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized or suspicious ACP client permission auto-approval events, especially those that bypass interactive approval prompts for read-class operations.

Since the vulnerability exploits spoofed toolCall.kind metadata and permissive name heuristics, detection can focus on identifying tool calls with unusual or non-core tool names, spoofed metadata fields, or read operations accessing files outside the current working directory.

Commands or methods to detect this might include:

• Enable and review ACP client debug or audit logs to identify permission requests that were auto-approved without explicit user prompts.
• Search logs for tool calls with suspicious or non-standard tool names, especially those that mimic read-like operations but are not in the trusted core tool ID allowlist.
• Monitor file access patterns for reads outside the expected current working directory scope.
• Use system or network monitoring tools to detect unusual ACP client activity or permission grants.

Specific commands are not provided in the available resources, but enabling verbose or debug logging in the ACP client and analyzing those logs for anomalies related to toolCall.kind spoofing or out-of-scope file reads is recommended.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade the OpenClaw ACP client to version 2026.2.23 or later, where the issue has been fixed.

The fix includes:

• Restricting auto-approval to a strict allowlist of trusted core tool IDs.
• Scoping read permission auto-approval strictly to files within the current working directory.
• Ignoring untrusted server-provided toolCall.kind metadata to prevent spoofing.
• Enforcing strict validation of tool names to reject malformed or suspicious names.

If upgrading immediately is not possible, consider disabling or restricting the ACP client’s auto-approval feature, enabling interactive approval prompts for all permission requests, and monitoring for suspicious tool calls as a temporary mitigation.

Useful 0 Not Useful 0