CVE-2026-32035
Published: 19 March 2026
Summary
CVE-2026-32035 is a medium-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly preventing non-owner voice participants from accessing owner-only tools due to the omitted senderIsOwner flag.
Requires explicit authorization decisions based on access control policies before granting access, countering the incorrect default to true for senderIsOwner in agentCommand processing.
Implements least privilege to restrict non-owners to only necessary accesses, mitigating unauthorized use of gateway and cron functionality in mixed-trust channels.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass (missing senderIsOwner flag) directly enables T1068 by allowing low-priv users to invoke owner-only functions; explicit cron access enables T1053.003 for scheduled execution/persistence.
NVD Description
OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when processing Discord voice transcripts in agentCommand, causing the flag to default to true. Non-owner voice participants can exploit this omission to access owner-only tools including gateway and cron…
more
functionality in mixed-trust channels.
Deeper analysisAI
CVE-2026-32035 is an authorization vulnerability in OpenClaw versions prior to 2026.3.2, published on 2026-03-19. The issue occurs in the agentCommand function during processing of Discord voice transcripts, where the senderIsOwner flag is not passed, causing it to default to true. This leads to incorrect authorization checks, mapped to CWE-863 (Incorrect Authorization), with a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L).
Non-owner voice participants with low privileges (PR:L) in mixed-trust channels can exploit this by sending crafted Discord voice transcripts, requiring user interaction (UI:R) and high attack complexity (AC:H). Successful exploitation grants unauthorized access to owner-only tools, including gateway and cron functionality, resulting in high integrity impact (I:H), low confidentiality and availability impacts (C:L/A:L), with no scope change (S:U).
Advisories from GitHub (GHSA-wpg9-4g4v-f9rc) and VulnCheck recommend updating to OpenClaw version 2026.3.2 or later, which addresses the omission by properly passing the senderIsOwner flag during Discord voice transcript processing.
Details
- CWE(s)