CVE-2026-32067

LowPublic PoC

Published: 21 March 2026

Published

21 March 2026

Modified

24 March 2026

KEV Added

—

Patch

—

CVSS Score 3.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

EPSS Score 0.0003 10.2th percentile

Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32067 is a low-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 3.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly preventing the authorization bypass that allows reuse of pairing approvals across multiple accounts.

AC-24 Access Control Decisions good match

prevent

Requires access control decisions based on policies that isolate pairing-store access per account, mitigating cross-account approval reuse.

AC-6 Least Privilege partial match

prevent

Applies least privilege to limit pairing-store access to only necessary privileges per account, reducing the risk of unauthorized cross-account acceptance.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1550.001 Application Access Token Lateral Movement

Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.

attack.mitre.org →

Why these techniques?

Network-accessible authorization bypass directly enables exploitation of public-facing apps (T1190); reuse of pairing approvals across accounts is a form of alternate authentication material abuse (T1550.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenClaw versions prior to 2026.2.26 contains an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can…

be automatically accepted in another account in multi-account deployments without explicit approval, bypassing authorization boundaries.

Deeper analysisAI

CVE-2026-32067, published on 2026-03-21, is an authorization bypass vulnerability (CWE-863) in the pairing-store access control for the direct message pairing policy in OpenClaw versions prior to 2026.2.26. The flaw enables attackers to reuse pairing approvals across multiple accounts, allowing a sender approved in one account to be automatically accepted in another without explicit approval, thus bypassing authorization boundaries.

Exploitation is possible over the network (AV:N) by an attacker with low privileges (PR:L) in a multi-account deployment, but requires high attack complexity (AC:H) and user interaction (UI:R). Successful attacks result in low impacts on confidentiality and integrity (C:L/I:L), with no availability impact (A:N) and no scope change (S:U), yielding a CVSS v3.1 base score of 3.7.

Mitigation is provided in OpenClaw version 2026.2.26 and later, with fixes implemented in GitHub commits a0c5e28f3bf0cc0cd9311f9e9ec2ca0352550dcf and bce643a0bd145d3e9cb55400af33bd1b85baeb02. Additional details are available in the GitHub security advisory at GHSA-vjp8-wprm-2jw9 and the VulnCheck advisory at www.vulncheck.com/advisories/openclaw-cross-account-authorization-bypass-in-dm-pairing-store.

Details

CWE(s): CWE-863

Affected Products

openclaw

≤ 2026.2.26

CVEs Like This One

CVE-2026-31998Same product: Openclaw Openclaw

CVE-2026-32924Same product: Openclaw Openclaw

CVE-2026-42426Same product: Openclaw Openclaw

CVE-2026-32005Same product: Openclaw Openclaw

CVE-2026-41303Same product: Openclaw Openclaw

CVE-2026-28392Same product: Openclaw Openclaw

CVE-2026-42438Same product: Openclaw Openclaw

CVE-2026-34512Same product: Openclaw Openclaw

CVE-2026-32059Same product: Openclaw Openclaw

CVE-2026-32914Same product: Openclaw Openclaw

References

https://github.com/openclaw/openclaw/commit/a0c5e28f3bf0cc0cd9311f9e9ec2ca0352550dcf
Patch · disclosure@vulncheck.com
https://github.com/openclaw/openclaw/commit/bce643a0bd145d3e9cb55400af33bd1b85baeb02
Patch · disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-vjp8-wprm-2jw9
Vendor Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-cross-account-authorization-bypass-in-dm-pairing-store
Third Party Advisory · disclosure@vulncheck.com