Main Vulnerability Database Vulnerabilities #VU128806

Improper access control in OpenClaw - CVE-2026-32039

Published: May 1, 2026

Vulnerability identifier: #VU128806

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-32039

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
OpenClaw

Software vendor:
OpenClaw

Description

The vulnerability allows a remote attacker to bypass sender authorization policy.

The vulnerability exists due to improper access control in channels.*.groups.*.toolsBySender when matching sender policies with untyped keys. A remote attacker can force an identifier collision to bypass sender authorization policy.

Only deployments that use toolsBySender with untyped keys are vulnerable.

Remediation

Install security update from vendor's website.

External links

https://github.com/openclaw/openclaw/security/advisories/GHSA-wpph-cjgr-7c39
https://github.com/openclaw/openclaw/commit/5547a2275cb69413af3b62c795b93214fe913b57

Improper access control in OpenClaw - CVE-2026-32039

Description

Remediation

External links

Please verify you're human