CVE-2026-32004
Published: 19 March 2026
Summary
CVE-2026-32004 is a medium-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to protected /api/channels endpoints, directly addressing the authentication bypass caused by canonicalization depth mismatch.
Requires validation and sanitization of information inputs like deeply encoded slash variants (%2f) in URL paths to prevent bypassing route authentication checks.
Mandates timely identification, reporting, and correction of flaws such as the canonicalization mismatch fixed in OpenClaw 2026.3.2.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing /api/channels endpoint via canonicalization mismatch directly enables remote exploitation of Internet-facing applications for unauthorized access and modifications.
NVD Description
OpenClaw versions prior to 2026.3.2 contain an authentication bypass vulnerability in the /api/channels route classification due to canonicalization depth mismatch between auth-path classification and route-path canonicalization. Attackers can bypass plugin route authentication checks by submitting deeply encoded slash variants such…
more
as multi-encoded %2f to access protected /api/channels endpoints.
Deeper analysisAI
OpenClaw versions prior to 2026.3.2 are affected by CVE-2026-32004, an authentication bypass vulnerability (CWE-288) in the /api/channels route classification. The issue stems from a canonicalization depth mismatch between auth-path classification and route-path canonicalization, allowing attackers to bypass plugin route authentication checks. It has a CVSS v3.1 base score of 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N).
Remote, unauthenticated attackers can exploit this vulnerability over the network by submitting deeply encoded slash variants, such as multi-encoded %2f, to protected /api/channels endpoints. Successful exploitation requires high attack complexity but enables limited access to confidential information (low impact) and high integrity violations, such as unauthorized modifications, without affecting availability.
Mitigation is addressed in OpenClaw version 2026.3.2 and later through fixes in multiple commits, including 2fd8264ab03bd178e62a5f0c50d1c8556c17f12d, 7a7eee920a176a0043398c6b37bf4cc6eb983eeb, 93b07240257919f770d1e263e1f22753937b80ea, and d74bc257d8432f17e50b23ae713d7e0623a1fe0f. Additional details are available in the GitHub security advisory GHSA-v865-p3gq-hw6m. Security practitioners should upgrade affected installations promptly.
Details
- CWE(s)