Cyber Resilience

CVE-2026-32067

LowPublic PoC

Published: 21 March 2026

Published
21 March 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 2.0 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0016 6.0th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2026-32067 is a low-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 2.0 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2026-32067, published on 2026-03-21, is an authorization bypass vulnerability (CWE-863) in the pairing-store access control for the direct message pairing policy in OpenClaw versions prior to 2026.2.26. The flaw enables attackers to reuse pairing approvals across multiple accounts, allowing a sender approved in one account to be automatically accepted in another without explicit approval, thus bypassing authorization boundaries.

Exploitation is possible over the network (AV:N) by an attacker with low privileges (PR:L) in a multi-account deployment, but requires high attack complexity (AC:H) and user interaction (UI:R). Successful attacks result in low impacts on confidentiality and integrity (C:L/I:L), with no availability impact (A:N) and no scope change (S:U), yielding a CVSS v3.1 base score of 3.7.

Mitigation is provided in OpenClaw version 2026.2.26 and later, with fixes implemented in GitHub commits a0c5e28f3bf0cc0cd9311f9e9ec2ca0352550dcf and bce643a0bd145d3e9cb55400af33bd1b85baeb02. Additional details are available in the GitHub security advisory at GHSA-vjp8-wprm-2jw9 and the VulnCheck advisory at www.vulncheck.com/advisories/openclaw-cross-account-authorization-bypass-in-dm-pairing-store.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can…

more

be automatically accepted in another account in multi-account deployments without explicit approval, bypassing authorization boundaries.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1550.001 Application Access Token Lateral Movement
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
Why these techniques?

Network-accessible authorization bypass directly enables exploitation of public-facing apps (T1190); reuse of pairing approvals across accounts is a form of alternate authentication material abuse (T1550.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32924Same product: Openclaw Openclaw
CVE-2026-31998Same product: Openclaw Openclaw
CVE-2026-32914Same product: Openclaw Openclaw
CVE-2026-28392Same product: Openclaw Openclaw
CVE-2026-28474Same product: Openclaw Openclaw
CVE-2026-34512Same product: Openclaw Openclaw
CVE-2026-42422Same product: Openclaw Openclaw
CVE-2026-42438Same product: Openclaw Openclaw
CVE-2026-44110Same product: Openclaw Openclaw
CVE-2026-42426Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.26

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations on the pairing-store, preventing reuse of cross-account pairing approvals.

prevent

Ensures access control decisions for DM pairing policy are made consistently per account rather than reused.

prevent

Enforces information flow rules that block unauthorized transfer of pairing approvals between separate accounts.

References