Cyber Resilience

CVE-2026-32014

HighPublic PoC

Published: 19 March 2026

Published
19 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0019 8.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32014 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).

Deeper analysis

CVE-2026-32014 is a metadata spoofing vulnerability affecting OpenClaw versions prior to 2026.2.26. The issue arises because the reconnect platform and deviceFamily fields are accepted from the client without being bound into the device-auth signature, allowing manipulation of these fields during reconnection. This flaw, classified under CWE-290 (Authentication Bypass by Spoofing), has a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with adjacent network access required, low attack complexity, and low privileges needed.

An attacker with a paired node identity on the trusted network can exploit this vulnerability by spoofing reconnect metadata. This enables bypassing platform-based node command policies, granting unauthorized access to restricted commands and potentially leading to high-impact confidentiality, integrity, and availability compromises on the affected system.

Mitigation is addressed in OpenClaw version 2026.2.26 and later, as detailed in the patch commit at https://github.com/openclaw/openclaw/commit/7d8aeaaf06e2e616545d2c2cec7fa27f36b59b6a. Additional guidance is available in the GitHub Security Advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-r65x-2hqr-j5hf and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-node-reconnect-metadata-spoofing-via-unsigned-platform-fields. Security practitioners should prioritize updating affected deployments and reviewing access controls for paired node identities on trusted networks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw versions prior to 2026.2.26 contain a metadata spoofing vulnerability where reconnect platform and deviceFamily fields are accepted from the client without being bound into the device-auth signature. An attacker with a paired node identity on the trusted network can…

more

spoof reconnect metadata to bypass platform-based node command policies and gain access to restricted commands.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Metadata spoofing enables auth bypass (CWE-290) on paired nodes, directly facilitating exploitation for privilege escalation (T1068) to access restricted commands and T1059 for subsequent command execution.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35622Same product: Openclaw Openclaw
CVE-2026-34426Same product: Openclaw Openclaw
CVE-2026-32045Same product: Openclaw Openclaw
CVE-2026-28465Same product: Openclaw Openclaw
CVE-2026-44118Same product: Openclaw Openclaw
CVE-2026-33573Same product: Openclaw Openclaw
CVE-2026-28473Same product: Openclaw Openclaw
CVE-2026-35663Same product: Openclaw Openclaw
CVE-2026-32057Same product: Openclaw Openclaw
CVE-2026-42429Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.26

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification and authentication of devices before reconnection, ensuring platform and deviceFamily metadata is bound and verified in the device-auth signature to prevent spoofing.

prevent

Enforces platform-based node command policies using only authenticated and non-spoofable device metadata, blocking unauthorized access to restricted commands.

prevent

Protects transmission of security attributes like platform and deviceFamily from modification or spoofing by requiring secure mechanisms such as inclusion in the device-auth signature.

References