Improper Authorization in OpenClaw - CVE-2026-32034

 

Improper Authorization in OpenClaw - CVE-2026-32034

Published: May 1, 2026


Vulnerability identifier: #VU128838
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-32034
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to gain privileged operator access.

The vulnerability exists due to improper authorization in the Control UI authentication mechanism when the gateway is exposed over plaintext HTTP with insecure authentication enabled. A remote user can use leaked or intercepted credentials to gain privileged operator access.

Exploitation requires the operator to have explicitly enabled gateway.controlUi.allowInsecureAuth: true and exposed the gateway over plaintext HTTP.


How to mitigate CVE-2026-32034

Install security update from vendor's website.

Sources