OpenClaw Flaws Let Authenticated Users Escalate Privileges and Bypass Authorization
Two high-severity vulnerabilities in OpenClaw exposed paths for authenticated users to gain access beyond their intended roles. CVE-2026-32042 affects versions before 2026.2.25 and allows an attacker with valid shared gateway authentication to present a self-signed, unpaired device identity and bypass pairing requirements, then self-assign elevated operator scopes including operator.admin. The issue is classified as CWE-863 and effectively turns a trusted but unapproved device identity into a route for privilege escalation.
A second flaw, CVE-2026-32051, affects OpenClaw versions before 2026.3.1 and allows users with operator.write scope to reach owner-only tool surfaces such as gateway and cron through agent runs in scoped-token deployments. The authorization mismatch lets lower-privileged authenticated users perform control-plane actions that should be restricted to owners, creating high risk to confidentiality, integrity, and availability. Advisories for both issues point to fixes and security guidance through GitHub and VulnCheck.
Timeline
Mar 29, 2026
OpenClaw discloses HTTP session history authorization bypass
A newly reported OpenClaw Gateway flaw allowed authenticated users without the required operator.read scope to access chat session history through the HTTP endpoint /sessions/:sessionKey/history. The issue was caused by inconsistent authorization checks between the WebSocket path, which enforced scope validation, and the HTTP transport layer, which only verified token validity and user identity.
Mar 26, 2026
OpenClaw fixes trusted-proxy session scope flaw
OpenClaw patched a vulnerability in its gateway WebSocket message handler that let attacker-injected scopes persist in sessions when authorization was granted through a trusted proxy and isControlUi was set to true. The fix in commit ccf16cd8892402022439346ae1d23352e3707e9e added trustedProxyAuthOk to ensure unbound scopes are always scrubbed for proxied sessions.
Mar 21, 2026
CVE-2026-32051 is publicly disclosed
CVE-2026-32051 was publicly disclosed as a high-severity OpenClaw authorization bypass vulnerability, with CWE-863 classification, CVSS details, and references to GitHub and VulnCheck advisories. The disclosure described how operator.write users could access owner-only control-plane functionality through agent runs.
Mar 21, 2026
CVE-2026-32042 is publicly disclosed
The privilege escalation vulnerability CVE-2026-32042 was disclosed with CWE-863 classification, CVSS scoring, and references to a GitHub security advisory and a VulnCheck advisory. The record states it was newly received by disclosure@vulncheck.com on March 21, 2026.
Mar 1, 2026
OpenClaw fixes authorization bypass flaw in version 2026.3.1
OpenClaw released version 2026.3.1 to remediate CVE-2026-32051, an authorization bypass affecting earlier versions that allowed authenticated users with operator.write scope to reach owner-only tool surfaces such as gateway and cron through agent runs. The issue stemmed from inconsistent owner-only access checks during agent execution in scoped-token deployments.
Feb 25, 2026
OpenClaw fixes privilege escalation flaw in version 2026.2.25
OpenClaw addressed CVE-2026-32042, a privilege escalation issue affecting versions 2026.2.22 before 2026.2.25 that let authenticated users with shared gateway access use an unpaired self-signed device identity to obtain elevated operator scopes, including operator.admin. The CVE record references a fixing commit and related advisories for the issue.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
OpenClaw Flaws Allowed Authentication Bypass and Admin Privilege Escalation
OpenClaw disclosed two high-severity vulnerabilities affecting versions before `2026.2.21` and `2026.3.25`, exposing gateway routes to unauthorized access and privilege escalation. **CVE-2026-32045** is an authentication bypass in HTTP gateway routes caused by incorrect application of tokenless Tailscale header authentication, allowing attackers on trusted networks to reach protected routes without valid tokens or passwords. The issue is tracked as `CWE-290` and carries a CVSS v3.1 vector of `AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N`, indicating a confidentiality-focused impact.
3 weeks ago
Multiple OpenClaw Flaws Enable Code Execution and Consent Bypass
OpenClaw disclosed several high-severity vulnerabilities that can lead to arbitrary code execution and security control bypass across recent releases. **CVE-2026-35641** affects versions before `2026.3.24` and lets a malicious local plugin or hook package use a crafted `.npmrc` file to override the `git` executable during `npm install`, resulting in arbitrary program execution. **CVE-2026-41349** affects versions before `2026.3.28` and allows low-privileged remote attackers to bypass execution approval through `config.patch`, silently disabling agentic consent protections. Belgium's Centre for Cybersecurity warned that multiple OpenClaw flaws can lead to RCE and urged immediate patching. Additional OpenClaw issues published shortly after expand the attack surface. **CVE-2026-41336** affects versions before `2026.3.31` and allows workspace `.env` files to override `OPENCLAW_BUNDLED_HOOKS_DIR`, causing trusted bundled hooks to be replaced with attacker-controlled code from untrusted workspaces. **CVE-2026-41352**, also fixed in `2026.3.31`, allows a device-paired node to bypass the node scope gate and execute arbitrary node commands on the host without proper pairing validation. Separately, the Node.js package **simple-git** disclosed **CVE-2026-6951**, an RCE flaw in versions before `3.36.0` caused by incomplete blocking of Git configuration options, allowing attackers to abuse `--config`, enable `protocol.ext.allow=always`, and trigger execution through an `ext::` clone source when untrusted input reaches the library's options.
1 weeks ago
OpenClaw Flaws Let Attackers Bypass Group Allowlists and Sender Policies
Two high-severity vulnerabilities in **OpenClaw** exposed weaknesses in how the platform enforced messaging restrictions in its chat integrations. **`CVE-2026-32975`** affects versions before **`2026.3.12`** and stems from weak authorization in Zalouser allowlist mode, where access checks used mutable group display names instead of stable group identifiers. That design allowed an attacker to create a group with the same name as an allowlisted group and bypass channel authorization, potentially causing messages from unintended groups to be routed to the agent. A second flaw, **`CVE-2026-33578`**, affects versions before **`2026.3.28`** in the **Google Chat** and **Zalouser** extensions. In that case, route-level group allowlist policies could silently downgrade to an open sender policy, letting attackers bypass configured sender restrictions and interact with bots that should have been limited to approved groups. Both issues were rated **high severity** with impact to confidentiality, integrity, and availability, and advisories and code references were published alongside fixes in newer OpenClaw releases.
1 months ago