CVE-2026-32057

HighPublic PoC

Published: 21 March 2026

Published

21 March 2026

Modified

25 March 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

EPSS Score 0.0011 28.7th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role websocket client can exploit this by using the control-ui client identifier…

to skip pairing requirements and gain unauthorized access to node event execution flows.

Mitigating Controls (NIST 800-53 r5)AI

IA-3 Device Identification and Authentication good match

prevent

IA-3 requires device identification and authentication before establishing connections, directly preventing the authentication bypass by enforcing proper device identity verification in the Control UI pairing mechanism.

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved access control policies for logical access to system resources, mitigating unauthorized access to node event execution flows gained by bypassing pairing requirements.

SI-2 Flaw Remediation good match

preventrecover

SI-2 mandates timely identification, reporting, and correction of system flaws like this CVE, directly addressing the vulnerability through patching as recommended in the advisory.

Security SummaryAI

CVE-2026-32057 is an authentication bypass vulnerability (CWE-807) in OpenClaw versions prior to 2026.2.25. The flaw exists in the trusted-proxy Control UI pairing mechanism, which accepts the client.id=control-ui parameter without performing proper device identity verification, published on 2026-03-21.

An authenticated node role WebSocket client can exploit this vulnerability over the network with low complexity and no user interaction. By using the control-ui client identifier, the attacker bypasses pairing requirements to gain unauthorized access to node event execution flows, resulting in low confidentiality impact, high integrity impact, and no availability impact. The CVSS v3.1 base score is 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).

Advisories recommend upgrading to OpenClaw version 2026.2.25 or later, where the issue is addressed via the patch in GitHub commit ec45c317f5d0631a3d333b236da58c4749ede2a3. Additional details on the vulnerability and remediation are provided in the GitHub Security Advisory at GHSA-vvgp-4c28-m3jm and the Vulncheck advisory at https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-control-ui-client-id-parameter.

Details

CWE(s): CWE-807

Affected Products

openclaw

≤ 2026.2.25

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Authentication bypass in remote WebSocket service exploitable by low-privileged (PR:L) authenticated node role client to gain unauthorized control over node event execution flows, directly enabling T1068: Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/openclaw/openclaw/commit/ec45c317f5d0631a3d333b236da58c4749ede2a3
Patch · disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-vvgp-4c28-m3jm
Vendor Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-control-ui-client-id-parameter
Third Party Advisory · disclosure@vulncheck.com