CVE-2026-32001

MEDIUM

OpenClaw < 2026.2.22 - Node Role Device-Identity Bypass via WebSocket Authentication

Title source: cna

Description

OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clients authenticated with a shared gateway token to connect as role=node without device identity verification. Attackers can exploit this by claiming the node role during WebSocket handshake to inject unauthorized node.event calls, triggering agent.request and voice.transcript flows without proper device pairing.

References (3)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-rv2q-f2h5-6xmg

[Patch] https://github.com/openclaw/openclaw/commit/ddcb2d79b17bf2a42c5037d8aeff1537a12b931e

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-node-role-device-identity-bypass-via-websocket-authentication

Scores

CVSS v3 5.4

EPSS 0.0008

EPSS Percentile 23.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (3)

npm/openclaw 0 - 2026.2.22npm

OpenClaw/OpenClaw < 2026.2.22

OpenClaw/OpenClaw 2026.2.22

Published Mar 19, 2026

Tracked Since Mar 20, 2026