CVE-2026-32014
Published: 19 March 2026
Summary
CVE-2026-32014 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification and authentication of devices before reconnection, ensuring platform and deviceFamily metadata is bound and verified in the device-auth signature to prevent spoofing.
Enforces platform-based node command policies using only authenticated and non-spoofable device metadata, blocking unauthorized access to restricted commands.
Protects transmission of security attributes like platform and deviceFamily from modification or spoofing by requiring secure mechanisms such as inclusion in the device-auth signature.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Metadata spoofing enables auth bypass (CWE-290) on paired nodes, directly facilitating exploitation for privilege escalation (T1068) to access restricted commands and T1059 for subsequent command execution.
NVD Description
OpenClaw versions prior to 2026.2.26 contain a metadata spoofing vulnerability where reconnect platform and deviceFamily fields are accepted from the client without being bound into the device-auth signature. An attacker with a paired node identity on the trusted network can…
more
spoof reconnect metadata to bypass platform-based node command policies and gain access to restricted commands.
Deeper analysisAI
CVE-2026-32014 is a metadata spoofing vulnerability affecting OpenClaw versions prior to 2026.2.26. The issue arises because the reconnect platform and deviceFamily fields are accepted from the client without being bound into the device-auth signature, allowing manipulation of these fields during reconnection. This flaw, classified under CWE-290 (Authentication Bypass by Spoofing), has a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with adjacent network access required, low attack complexity, and low privileges needed.
An attacker with a paired node identity on the trusted network can exploit this vulnerability by spoofing reconnect metadata. This enables bypassing platform-based node command policies, granting unauthorized access to restricted commands and potentially leading to high-impact confidentiality, integrity, and availability compromises on the affected system.
Mitigation is addressed in OpenClaw version 2026.2.26 and later, as detailed in the patch commit at https://github.com/openclaw/openclaw/commit/7d8aeaaf06e2e616545d2c2cec7fa27f36b59b6a. Additional guidance is available in the GitHub Security Advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-r65x-2hqr-j5hf and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-node-reconnect-metadata-spoofing-via-unsigned-platform-fields. Security practitioners should prioritize updating affected deployments and reviewing access controls for paired node identities on trusted networks.
Details
- CWE(s)