Main Vulnerability Database Vulnerabilities #VU125077

#VU125077 Authentication Bypass by Spoofing in OpenClaw - CVE-2026-32014

Published: April 7, 2026

Vulnerability identifier: #VU125077

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-32014

CWE-ID: CWE-290

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vulnerable software:
OpenClaw

Software vendor:
OpenClaw

Description

The vulnerability allows a remote user to gain access to commands that should remain blocked for the originally paired platform.

The vulnerability exists due to authentication bypass by spoofing in the node reconnect metadata handling when accepting client-supplied platform and deviceFamily metadata during node reconnection. A remote user can spoof reconnect metadata to gain access to commands that should remain blocked for the originally paired platform.

Exploitation requires an already paired node identity on the trusted network, and affects configurations where node command policy differs by platform.

Remediation

Install security update from vendor's website.

External links

https://github.com/openclaw/openclaw/security/advisories/GHSA-r65x-2hqr-j5hf

#VU125077 Authentication Bypass by Spoofing in OpenClaw - CVE-2026-32014

Description

Remediation

External links

Please verify you're human