Cyber Resilience

CVE-2026-32057

MediumPublic PoC

Published: 21 March 2026

Published
21 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v4 6.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-32057 is a medium-severity Reliance on Untrusted Inputs in a Security Decision (CWE-807) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).

Deeper analysis

CVE-2026-32057 is an authentication bypass vulnerability (CWE-807) in OpenClaw versions prior to 2026.2.25. The flaw exists in the trusted-proxy Control UI pairing mechanism, which accepts the client.id=control-ui parameter without performing proper device identity verification, published on 2026-03-21.

An authenticated node role WebSocket client can exploit this vulnerability over the network with low complexity and no user interaction. By using the control-ui client identifier, the attacker bypasses pairing requirements to gain unauthorized access to node event execution flows, resulting in low confidentiality impact, high integrity impact, and no availability impact. The CVSS v3.1 base score is 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).

Advisories recommend upgrading to OpenClaw version 2026.2.25 or later, where the issue is addressed via the patch in GitHub commit ec45c317f5d0631a3d333b236da58c4749ede2a3. Additional details on the vulnerability and remediation are provided in the GitHub Security Advisory at GHSA-vvgp-4c28-m3jm and the Vulncheck advisory at https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-control-ui-client-id-parameter.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role websocket client can exploit this by using the control-ui client identifier…

more

to skip pairing requirements and gain unauthorized access to node event execution flows.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Authentication bypass in remote WebSocket service exploitable by low-privileged (PR:L) authenticated node role client to gain unauthorized control over node event execution flows, directly enabling T1068: Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41299Same product: Openclaw Openclaw
CVE-2026-35638Same product: Openclaw Openclaw
CVE-2026-35663Same product: Openclaw Openclaw
CVE-2026-43578Same product: Openclaw Openclaw
CVE-2026-41404Same product: Openclaw Openclaw
CVE-2026-35670Same product: Openclaw Openclaw
CVE-2026-41344Same product: Openclaw Openclaw
CVE-2026-32975Same product: Openclaw Openclaw
CVE-2026-42432Same product: Openclaw Openclaw
CVE-2026-41371Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.25

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-3 requires device identification and authentication before establishing connections, directly preventing the authentication bypass by enforcing proper device identity verification in the Control UI pairing mechanism.

prevent

AC-3 enforces approved access control policies for logical access to system resources, mitigating unauthorized access to node event execution flows gained by bypassing pairing requirements.

preventrecover

SI-2 mandates timely identification, reporting, and correction of system flaws like this CVE, directly addressing the vulnerability through patching as recommended in the advisory.

References