Authentication Bypass by Spoofing in OpenClaw - CVE-2026-32014
Published: April 7, 2026
Vulnerability identifier: #VU125077
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-32014
CWE-ID: CWE-290
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to gain access to commands that should remain blocked for the originally paired platform.
The vulnerability exists due to authentication bypass by spoofing in the node reconnect metadata handling when accepting client-supplied platform and deviceFamily metadata during node reconnection. A remote user can spoof reconnect metadata to gain access to commands that should remain blocked for the originally paired platform.
Exploitation requires an already paired node identity on the trusted network, and affects configurations where node command policy differs by platform.
How to mitigate CVE-2026-32014
Install security update from vendor's website.