CVE-2026-32051

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.1

Description An authorization mismatch exists that allows authenticated callers with operator.write scope to invoke owner-only tool surfaces, including gateway and cron, through agent runs in scoped-token deployments. Attackers with write-scope access can perform control-plane actions beyond their intended authorization level due to inconsistent owner-only gating during agent execution.

Recommendations Update OpenClaw to version 2026.3.1 or later.