CVE-2026-32057

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.25

Description The software contains an authentication bypass in the trusted-proxy Control UI pairing mechanism. The system accepts client.id=control-ui without verifying the device’s identity. An authenticated node role websocket client can exploit this by using the control-ui client identifier to bypass pairing requirements and gain unauthorized access to node event execution flows. The API endpoint involved is not specified. The vulnerable parameter is client.id.

Recommendations Update OpenClaw to version 2026.2.25 or later.