CVE-2026-32001

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.22

Description An authentication bypass allows clients authenticated with a shared gateway token to connect as role=node without device identity verification. Attackers can exploit this by claiming the node role during a WebSocket handshake to inject unauthorized node.event calls, triggering agent.request and voice.transcript flows without proper device pairing. The WebSocket connect path allowed device-less bypass whenever shared authentication succeeded, and did not restrict the role. This enabled unauthorized node.event injection into agent-trigger flows.

Recommendations Upgrade to version 2026.2.22 or newer. The fix requires device identity for role=node connects, even when shared-token authentication succeeds.