CVE-2026-32031

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.26

Description The server-http component of OpenClaw contains an authentication bypass in gateway authentication for plugin channel endpoints. This is due to a path canonicalization mismatch between the gateway guard and plugin handler routing. Attackers can bypass authentication by sending requests with alternative path encodings to access protected plugin channel APIs without proper gateway authentication. Specifically, the server-http component applies gateway authentication only when the raw requestPath matches exactly, such as '/api/channels' or '/api/channels/'. If a plugin handler canonicalizes the path input (for example, using decodeURIComponent(pathname).toLowerCase()), requests like '/API/channels/nostr/default/profile' or '/api/channels%2Fnostr%2Fdefault%2Fprofile' can be interpreted as '/api/channels/' by the plugin, while the gateway authentication guard is skipped. This allows unauthorized callers to access plugin channel APIs that require gateway authentication.

Recommendations Versions prior to 2026.2.26 should be updated.