Cyber Resilience

CVE-2026-32025

HighPublic PoC

Published: 19 March 2026

Published
19 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v4 7.5 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0011 28.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32025 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-7 (Unsuccessful Logon Attempts).

Deeper analysis

CVE-2026-32025, published on 2026-03-19, is an authentication hardening gap classified under CWE-307 in the browser-origin WebSocket clients of OpenClaw versions prior to 2026.2.25. This flaw enables attackers to bypass origin checks and authentication throttling on loopback deployments, exposing the gateway to unauthorized access attempts.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating network accessibility with high attack complexity, no required privileges, and user interaction. A remote attacker can exploit it by tricking a victim into opening a malicious webpage, which then facilitates password brute-force attacks against the gateway. Successful exploitation allows the attacker to establish an authenticated operator session and invoke control-plane methods, potentially compromising confidentiality, integrity, and availability.

Mitigation details are available in the referenced advisories and patch. The GitHub commit c736f11a16d6bc27ea62a0fe40fffae4cb071fdb addresses the issue, with the fix included in OpenClaw 2026.2.25 and later versions. Additional guidance appears in the GitHub Security Advisory GHSA-jmmg-jqc7-5qf4 and the VulnCheck advisory on the brute-force vulnerability via browser-origin WebSocket authentication bypass.

EU & UK References

Vulnerability details

OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform…

more

password brute-force attacks against the gateway to establish an authenticated operator session and invoke control-plane methods.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Why these techniques?

Vulnerability directly bypasses origin validation and auth throttling on loopback WebSocket, enabling brute-force credential attacks (T1110) delivered by tricking a user into loading a malicious webpage (T1189).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28395Same product: Openclaw Openclaw
CVE-2026-28458Same product: Openclaw Openclaw
CVE-2026-44116Same product: Openclaw Openclaw
CVE-2026-32064Same product: Openclaw Openclaw
CVE-2026-34503Same product: Openclaw Openclaw
CVE-2026-42431Same product: Openclaw Openclaw
CVE-2026-42429Same product: Openclaw Openclaw
CVE-2026-32005Same product: Openclaw Openclaw
CVE-2026-35652Same product: Openclaw Openclaw
CVE-2026-28391Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.25

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces limits on consecutive unsuccessful logon attempts and automated lockouts, directly mitigating the password brute-force attacks enabled by the authentication throttling bypass.

prevent

Requires robust identification and authentication mechanisms for organizational users, addressing the flawed WebSocket authentication that allows bypass of origin checks.

prevent

Mandates enforcement of approved access authorizations, including origin validation policies to block unauthorized loopback WebSocket connections from malicious webpages.

References