OpenClaw Flaws Let Authenticated Users Escalate Privileges and Bypass Authorization
Two high-severity vulnerabilities in OpenClaw exposed paths for authenticated users to gain access beyond their intended roles. CVE-2026-32042 affects versions before 2026.2.25 and allows an attacker with valid shared gateway authentication to present a self-signed, unpaired device identity and bypass pairing requirements, then self-assign elevated operator scopes including operator.admin. The issue is classified as CWE-863 and effectively turns a trusted but unapproved device identity into a route for privilege escalation.
A second flaw, CVE-2026-32051, affects OpenClaw versions before 2026.3.1 and allows users with operator.write scope to reach owner-only tool surfaces such as gateway and cron through agent runs in scoped-token deployments. The authorization mismatch lets lower-privileged authenticated users perform control-plane actions that should be restricted to owners, creating high risk to confidentiality, integrity, and availability. Advisories for both issues point to fixes and security guidance through GitHub and VulnCheck.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
OpenClaw discloses HTTP session history authorization bypass
A newly reported OpenClaw Gateway flaw allowed authenticated users without the required operator.read scope to access chat session history through the HTTP endpoint /sessions/:sessionKey/history. The issue was caused by inconsistent authorization checks between the WebSocket path, which enforced scope validation, and the HTTP transport layer, which only verified token validity and user identity.
OpenClaw fixes trusted-proxy session scope flaw
OpenClaw patched a vulnerability in its gateway WebSocket message handler that let attacker-injected scopes persist in sessions when authorization was granted through a trusted proxy and isControlUi was set to true. The fix in commit ccf16cd8892402022439346ae1d23352e3707e9e added trustedProxyAuthOk to ensure unbound scopes are always scrubbed for proxied sessions.
CVE-2026-32051 is publicly disclosed
CVE-2026-32051 was publicly disclosed as a high-severity OpenClaw authorization bypass vulnerability, with CWE-863 classification, CVSS details, and references to GitHub and VulnCheck advisories. The disclosure described how operator.write users could access owner-only control-plane functionality through agent runs.
CVE-2026-32042 is publicly disclosed
The privilege escalation vulnerability CVE-2026-32042 was disclosed with CWE-863 classification, CVSS scoring, and references to a GitHub security advisory and a VulnCheck advisory. The record states it was newly received by disclosure@vulncheck.com on March 21, 2026.
OpenClaw fixes authorization bypass flaw in version 2026.3.1
OpenClaw released version 2026.3.1 to remediate CVE-2026-32051, an authorization bypass affecting earlier versions that allowed authenticated users with operator.write scope to reach owner-only tool surfaces such as gateway and cron through agent runs. The issue stemmed from inconsistent owner-only access checks during agent execution in scoped-token deployments.
OpenClaw fixes privilege escalation flaw in version 2026.2.25
OpenClaw addressed CVE-2026-32042, a privilege escalation issue affecting versions 2026.2.22 before 2026.2.25 that let authenticated users with shared gateway access use an unpaired self-signed device identity to obtain elevated operator scopes, including operator.admin. The CVE record references a fixing commit and related advisories for the issue.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Warning: Privilege Escalation in OpenClaw, Patch Immediately! | CCB Belgium
ccb.belgium.be
Open sourceGHSA-5JVJ-HXMH-6H6J: GHSA-5JVJ-HXMH-6H6J: Authorization Bypass in OpenClaw Gateway HTTP Session History | CVEReports
cvereports.com
Open sourceGHSA-48VW-M3QC-WR99: GHSA-48VW-M3QC-WR99: Improper Privilege Management in OpenClaw Gateway Trusted-Proxy Sessions | CVEReports
cvereports.com
Open sourceCVE-2026-32042 - OpenClaw < 2026.2.25 - Privilege Escalation via Unpaired Device Identity in Shared Gateway Authentication
cvefeed.io
Open sourceCVE-2026-32051 - OpenClaw < 2026.3.1 - Authorization Bypass in Agent Runs via Owner-Only Tool Access
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OpenClaw Flaws Allowed Authentication Bypass and Admin Privilege Escalation
OpenClaw disclosed two high-severity vulnerabilities affecting versions before `2026.2.21` and `2026.3.25`, exposing gateway routes to unauthorized access and privilege escalation. **CVE-2026-32045** is an authentication bypass in HTTP gateway routes caused by incorrect application of tokenless Tailscale header authentication, allowing attackers on trusted networks to reach protected routes without valid tokens or passwords. The issue is tracked as `CWE-290` and carries a CVSS v3.1 vector of `AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N`, indicating a confidentiality-focused impact.
Apr 10, 2026
Multiple OpenClaw Flaws Enable Code Execution and Consent Bypass
OpenClaw disclosed several high-severity vulnerabilities that can lead to arbitrary code execution and security control bypass across recent releases. **CVE-2026-35641** affects versions before `2026.3.24` and lets a malicious local plugin or hook package use a crafted `.npmrc` file to override the `git` executable during `npm install`, resulting in arbitrary program execution. **CVE-2026-41349** affects versions before `2026.3.28` and allows low-privileged remote attackers to bypass execution approval through `config.patch`, silently disabling agentic consent protections. Belgium's Centre for Cybersecurity warned that multiple OpenClaw flaws can lead to RCE and urged immediate patching. Additional OpenClaw issues published shortly after expand the attack surface. **CVE-2026-41336** affects versions before `2026.3.31` and allows workspace `.env` files to override `OPENCLAW_BUNDLED_HOOKS_DIR`, causing trusted bundled hooks to be replaced with attacker-controlled code from untrusted workspaces. **CVE-2026-41352**, also fixed in `2026.3.31`, allows a device-paired node to bypass the node scope gate and execute arbitrary node commands on the host without proper pairing validation. Separately, the Node.js package **simple-git** disclosed **CVE-2026-6951**, an RCE flaw in versions before `3.36.0` caused by incomplete blocking of Git configuration options, allowing attackers to abuse `--config`, enable `protocol.ext.allow=always`, and trigger execution through an `ext::` clone source when untrusted input reaches the library's options.
Apr 25, 2026
OpenClaw Flaws Let Attackers Bypass Group Allowlists and Sender Policies
Two high-severity vulnerabilities in **OpenClaw** exposed weaknesses in how the platform enforced messaging restrictions in its chat integrations. **`CVE-2026-32975`** affects versions before **`2026.3.12`** and stems from weak authorization in Zalouser allowlist mode, where access checks used mutable group display names instead of stable group identifiers. That design allowed an attacker to create a group with the same name as an allowlisted group and bypass channel authorization, potentially causing messages from unintended groups to be routed to the agent. A second flaw, **`CVE-2026-33578`**, affects versions before **`2026.3.28`** in the **Google Chat** and **Zalouser** extensions. In that case, route-level group allowlist policies could silently downgrade to an open sender policy, letting attackers bypass configured sender restrictions and interact with bots that should have been limited to approved groups. Both issues were rated **high severity** with impact to confidentiality, integrity, and availability, and advisories and code references were published alongside fixes in newer OpenClaw releases.
Mar 31, 2026