Cyber Resilience

CVE-2026-32041

HighPublic PoC

Published: 19 March 2026

Published
19 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v4 7.5 CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 6.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32041 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-32041 is a vulnerability in OpenClaw versions prior to 2026.3.1 that results from improper handling of authentication bootstrap errors during startup, classified under CWE-306 (Missing Authentication for Critical Function). This flaw allows browser-control routes to remain accessible without authentication, even after failed bootstrap. The issue carries a CVSS v3.1 base score of 6.9 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating medium severity with high impacts on confidentiality and integrity.

Attackers with local access or the ability to reach loopback interfaces via SSRF can exploit this vulnerability without privileges. Exploitation involves targeting the unauthenticated browser-control routes, including evaluate-capable actions, to execute arbitrary operations without valid credentials. Successful attacks enable high-level data exposure and modification within the browser context, with low availability disruption.

Mitigation details are available in the official advisories: the OpenClaw GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-vpj2-69hf-rppw and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-unauthenticated-browser-control-access-via-failed-auth-bootstrap. Upgrading to OpenClaw version 2026.3.1 addresses the authentication handling defect.

EU & UK References

Vulnerability details

OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control routes including evaluate-capable actions without valid…

more

credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Auth bypass (CWE-306) on browser-control/evaluate routes directly enables exploitation of the application for unauthenticated arbitrary operations (T1190); evaluate actions in browser context map to JavaScript command/script execution (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28472Same product: Openclaw Openclaw
CVE-2026-28450Same product: Openclaw Openclaw
CVE-2026-28468Same product: Openclaw Openclaw
CVE-2026-32064Same product: Openclaw Openclaw
CVE-2026-28456Same product: Openclaw Openclaw
CVE-2026-28485Same product: Openclaw Openclaw
CVE-2026-28458Same product: Openclaw Openclaw
CVE-2026-26319Same product: Openclaw Openclaw
CVE-2026-44116Same product: Openclaw Openclaw
CVE-2026-35652Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 explicitly limits and documents permitted actions without identification or authentication, directly preventing exposure of unauthenticated browser-control routes due to failed auth bootstrap.

prevent

SI-11 ensures secure error handling during authentication bootstrap failures, avoiding the condition where critical routes remain accessible without credentials.

prevent

AC-3 enforces approved access authorizations, blocking unauthorized local or SSRF exploitation of browser-control routes lacking authentication.

References