CVE-2026-32039

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.22

Description OpenClaw versions prior to 2026.2.22 contain an authorization bypass in the toolsBySender group policy matching. This allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyped sender keys by forcing collisions with mutable identity values such as senderName or senderUsername to bypass sender-authorization policies and gain unauthorized access to privileged tools. The issue occurs when deployments use untyped keys, and the fix introduces explicit typed sender keys (id:, e164:, username:, name:), keeping legacy untyped keys on a deprecated ID-only path. The vulnerable component is channels.*.groups.*.toolsBySender.

Recommendations Update OpenClaw to version 2026.2.22 or later.