CVE-2026-32004

HIGH EPSS 21.4%
Published Mar 19, 20263mo ago · Modified Mar 23, 20263mo ago
8.3 CVSS 4.0
High
Find Similar
Published Mar 19, 2026 3mo ago
Last Modified Mar 23, 2026 3mo ago

Description

OpenClaw versions prior to 2026.3.2 contain an authentication bypass vulnerability in the /api/channels route classification due to canonicalization depth mismatch between auth-path classification and route-path canonicalization. Attackers can bypass plugin route authentication checks by submitting deeply encoded slash variants such as multi-encoded %2f to access protected /api/channels endpoints.

CVSS Details

Base Score
8.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
21.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-288

Affected Products 1

VendorProductVersionRange
openclawopenclaw* <2026.3.2

References 6

  • github.com https://github.com/openclaw/openclaw/commit/2fd8264ab03bd178e62a5f0c50d1c8556c17f12d
    Patch
  • github.com https://github.com/openclaw/openclaw/commit/7a7eee920a176a0043398c6b37bf4cc6eb983eeb
    Patch
  • github.com https://github.com/openclaw/openclaw/commit/93b07240257919f770d1e263e1f22753937b80ea
    Patch
  • github.com https://github.com/openclaw/openclaw/commit/d74bc257d8432f17e50b23ae713d7e0623a1fe0f
    Patch
  • github.com https://github.com/openclaw/openclaw/security/advisories/GHSA-v865-p3gq-hw6m
    Vendor Advisory
  • vulncheck.com https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-encoded-path-in-api-channels-route
    Third Party Advisory

Remediation

  • github.com https://github.com/openclaw/openclaw/commit/2fd8264ab03bd178e62a5f0c50d1c8556c17f12d
    Patch
  • github.com https://github.com/openclaw/openclaw/commit/7a7eee920a176a0043398c6b37bf4cc6eb983eeb
    Patch
  • github.com https://github.com/openclaw/openclaw/commit/93b07240257919f770d1e263e1f22753937b80ea
    Patch
  • github.com https://github.com/openclaw/openclaw/commit/d74bc257d8432f17e50b23ae713d7e0623a1fe0f
    Patch