PT-2026-26395 · Openclaw · Openclaw
76Embiid21
·
Published
2026-03-03
·
Updated
2026-03-20
·
CVE-2026-32014
CVSS v4.0
8.6
High
| Vector | AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.2.26
Description
OpenClaw is affected by a metadata spoofing issue. The reconnect platform and deviceFamily fields are accepted from the client without being included in the device-auth signature. An attacker with a paired node identity on the trusted network can spoof reconnect metadata to bypass platform-based node command policies and gain access to restricted commands. The issue occurs because reconnect metadata was accepted from the client while these fields were not bound into the device-auth signature.
Recommendations
Versions prior to 2026.2.26 should be updated to version 2026.2.26 or later. Add device-auth payload
v3 that signs normalized platform and deviceFamily. Verify v3 first (fallback to v2 for compatibility), while pinning paired metadata server-side. Reject reconnect metadata mismatches and require explicit repair pairing to change pinned metadata. Add regression coverage for reconnect spoof attempts.Fix
Authentication Bypass by Spoofing
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw