CVE-2026-32025
Published: 19 March 2026
Summary
CVE-2026-32025 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 25.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-7 (Unsuccessful Logon Attempts).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces limits on consecutive unsuccessful logon attempts and automated lockouts, directly mitigating the password brute-force attacks enabled by the authentication throttling bypass.
Requires robust identification and authentication mechanisms for organizational users, addressing the flawed WebSocket authentication that allows bypass of origin checks.
Mandates enforcement of approved access authorizations, including origin validation policies to block unauthorized loopback WebSocket connections from malicious webpages.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly bypasses origin validation and auth throttling on loopback WebSocket, enabling brute-force credential attacks (T1110) delivered by tricking a user into loading a malicious webpage (T1189).
NVD Description
OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform…
more
password brute-force attacks against the gateway to establish an authenticated operator session and invoke control-plane methods.
Deeper analysisAI
CVE-2026-32025, published on 2026-03-19, is an authentication hardening gap classified under CWE-307 in the browser-origin WebSocket clients of OpenClaw versions prior to 2026.2.25. This flaw enables attackers to bypass origin checks and authentication throttling on loopback deployments, exposing the gateway to unauthorized access attempts.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating network accessibility with high attack complexity, no required privileges, and user interaction. A remote attacker can exploit it by tricking a victim into opening a malicious webpage, which then facilitates password brute-force attacks against the gateway. Successful exploitation allows the attacker to establish an authenticated operator session and invoke control-plane methods, potentially compromising confidentiality, integrity, and availability.
Mitigation details are available in the referenced advisories and patch. The GitHub commit c736f11a16d6bc27ea62a0fe40fffae4cb071fdb addresses the issue, with the fix included in OpenClaw 2026.2.25 and later versions. Additional guidance appears in the GitHub Security Advisory GHSA-jmmg-jqc7-5qf4 and the VulnCheck advisory on the brute-force vulnerability via browser-origin WebSocket authentication bypass.
Details
- CWE(s)