CVE-2026-32025

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.25

Description OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients. This allows attackers to bypass origin checks and authentication throttling in loopback deployments. An attacker can trick a user into opening a malicious webpage and perform password brute-force attacks against the gateway to establish an authenticated operator session and invoke control-plane methods. Successful exploitation requires the gateway to be reachable on loopback, password authentication to be in use, and the victim to open attacker-controlled web content with a guessable password. The issue involves origin checks not being enforced for some WebSocket client IDs, loopback authentication attempts being exempt from password-failure throttling, and a silent local pairing path available to browser-origin clients. Exploitation allows an attacker to invoke control-plane methods available to the operator role.

Recommendations Update to OpenClaw version 2026.2.25 or later. Enforce browser-origin checks for direct browser WebSocket clients. Apply browser-origin authentication failure throttling with loopback exemption disabled. Block silent auto-pairing for non-Control-UI browser-origin clients.