CVE-2026-32067
Published: 21 March 2026
Summary
CVE-2026-32067 is a low-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 2.0 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).
Deeper analysis
CVE-2026-32067, published on 2026-03-21, is an authorization bypass vulnerability (CWE-863) in the pairing-store access control for the direct message pairing policy in OpenClaw versions prior to 2026.2.26. The flaw enables attackers to reuse pairing approvals across multiple accounts, allowing a sender approved in one account to be automatically accepted in another without explicit approval, thus bypassing authorization boundaries.
Exploitation is possible over the network (AV:N) by an attacker with low privileges (PR:L) in a multi-account deployment, but requires high attack complexity (AC:H) and user interaction (UI:R). Successful attacks result in low impacts on confidentiality and integrity (C:L/I:L), with no availability impact (A:N) and no scope change (S:U), yielding a CVSS v3.1 base score of 3.7.
Mitigation is provided in OpenClaw version 2026.2.26 and later, with fixes implemented in GitHub commits a0c5e28f3bf0cc0cd9311f9e9ec2ca0352550dcf and bce643a0bd145d3e9cb55400af33bd1b85baeb02. Additional details are available in the GitHub security advisory at GHSA-vjp8-wprm-2jw9 and the VulnCheck advisory at www.vulncheck.com/advisories/openclaw-cross-account-authorization-bypass-in-dm-pairing-store.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13968
Vulnerability details
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can…
more
be automatically accepted in another account in multi-account deployments without explicit approval, bypassing authorization boundaries.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Network-accessible authorization bypass directly enables exploitation of public-facing apps (T1190); reuse of pairing approvals across accounts is a form of alternate authentication material abuse (T1550.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations on the pairing-store, preventing reuse of cross-account pairing approvals.
Ensures access control decisions for DM pairing policy are made consistently per account rather than reused.
Enforces information flow rules that block unauthorized transfer of pairing approvals between separate accounts.