CVE-2026-32004

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.2

Description OpenClaw versions before 2026.3.2 contain an authentication bypass issue in the /api/channels route classification. This is due to a mismatch in canonicalization depth between authentication path classification and route path canonicalization. Attackers can bypass route authentication checks by submitting deeply encoded slash variants, such as multi-encoded %2f, to access protected /api/channels endpoints. The issue allows alternate encoded paths to evade protected-prefix authentication checks while still resolving to /api/channels/... in plugin route handling. The vulnerable component relies on gateway authentication for /api/channels/* protection. The issue stems from diverging authentication path classification and route path canonicalization for deeply encoded slash variants.

Recommendations Update OpenClaw to version 2026.3.2 or later.