CVE-2026-32001
MEDIUMOpenClaw < 2026.2.22 - Node Role Device-Identity Bypass via WebSocket Authentication
Title source: cnaDescription
OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clients authenticated with a shared gateway token to connect as role=node without device identity verification. Attackers can exploit this by claiming the node role during WebSocket handshake to inject unauthorized node.event calls, triggering agent.request and voice.transcript flows without proper device pairing.
References (3)
Core 3
Core References
Third Party Advisory third-party-advisory
GitHub Security Advisory (GHSA-rv2q-f2h5-6xmg)
https://github.com/openclaw/openclaw/security/advisories/GHSA-rv2q-f2h5-6xmg
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/ddcb2d79b17bf2a42c5037d8aeff1537a12b931e
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.2.22 - Node Role Device-Identity Bypass via WebSocket Authentication
https://www.vulncheck.com/advisories/openclaw-node-role-device-identity-bypass-via-websocket-authentication
Scores
CVSS v3
5.4
EPSS
0.0027
EPSS Percentile
18.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (3)
npm/openclaw
0 - 2026.2.22npm
OpenClaw/OpenClaw
< 2026.2.22
OpenClaw/OpenClaw
2026.2.22
Published
Mar 19, 2026
Tracked Since
Mar 20, 2026