CVE-2026-32057
Published: 21 March 2026
Summary
CVE-2026-32057 is a high-severity Reliance on Untrusted Inputs in a Security Decision (CWE-807) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-3 requires device identification and authentication before establishing connections, directly preventing the authentication bypass by enforcing proper device identity verification in the Control UI pairing mechanism.
AC-3 enforces approved access control policies for logical access to system resources, mitigating unauthorized access to node event execution flows gained by bypassing pairing requirements.
SI-2 mandates timely identification, reporting, and correction of system flaws like this CVE, directly addressing the vulnerability through patching as recommended in the advisory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in remote WebSocket service exploitable by low-privileged (PR:L) authenticated node role client to gain unauthorized control over node event execution flows, directly enabling T1068: Exploitation for Privilege Escalation.
NVD Description
OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role websocket client can exploit this by using the control-ui client identifier…
more
to skip pairing requirements and gain unauthorized access to node event execution flows.
Deeper analysisAI
CVE-2026-32057 is an authentication bypass vulnerability (CWE-807) in OpenClaw versions prior to 2026.2.25. The flaw exists in the trusted-proxy Control UI pairing mechanism, which accepts the client.id=control-ui parameter without performing proper device identity verification, published on 2026-03-21.
An authenticated node role WebSocket client can exploit this vulnerability over the network with low complexity and no user interaction. By using the control-ui client identifier, the attacker bypasses pairing requirements to gain unauthorized access to node event execution flows, resulting in low confidentiality impact, high integrity impact, and no availability impact. The CVSS v3.1 base score is 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).
Advisories recommend upgrading to OpenClaw version 2026.2.25 or later, where the issue is addressed via the patch in GitHub commit ec45c317f5d0631a3d333b236da58c4749ede2a3. Additional details on the vulnerability and remediation are provided in the GitHub Security Advisory at GHSA-vvgp-4c28-m3jm and the Vulncheck advisory at https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-control-ui-client-id-parameter.
Details
- CWE(s)