PT-2026-26395 · Openclaw · Openclaw
76Embiid21
·
Publicado
2026-03-03
·
Atualizado
2026-03-20
·
CVE-2026-32014
CVSS v4.0
8.6
Alta
| Vetor | AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.2.26
Description
OpenClaw is affected by a metadata spoofing issue. The reconnect platform and deviceFamily fields are accepted from the client without being included in the device-auth signature. An attacker with a paired node identity on the trusted network can spoof reconnect metadata to bypass platform-based node command policies and gain access to restricted commands. The issue occurs because reconnect metadata was accepted from the client while these fields were not bound into the device-auth signature.
Recommendations
Versions prior to 2026.2.26 should be updated to version 2026.2.26 or later. Add device-auth payload
v3 that signs normalized platform and deviceFamily. Verify v3 first (fallback to v2 for compatibility), while pinning paired metadata server-side. Reject reconnect metadata mismatches and require explicit repair pairing to change pinned metadata. Add regression coverage for reconnect spoof attempts.Correção
Incorrect Authorization
Authentication Bypass by Spoofing
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw