CVE-2026-32987
Published: 29 March 2026
Summary
CVE-2026-32987 is a critical-severity Authentication Bypass by Capture-replay (CWE-294) vulnerability in Openclaw Openclaw. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the replay vulnerability by identifying, reporting, and applying the vendor patch (2026.3.13) that fixes the bootstrap code reuse flaw in device-bootstrap.ts.
Requires management of bootstrap setup codes as authenticators with single-use or time-bound properties to prevent replay during device pairing verification.
Prevents replay attacks on bootstrap codes by enforcing session authenticity and protecting bindings during device pairing communications to block scope escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated replay attack on device bootstrap/pairing directly enables T1190 (public-facing app exploitation) and results in scope escalation to operator.admin, enabling T1068 (exploitation for privilege escalation).
NVD Description
OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin.
Deeper analysisAI
CVE-2026-32987 is a vulnerability in OpenClaw versions prior to 2026.3.13 that allows replay attacks on bootstrap setup codes during device pairing verification. The issue resides in the src/infra/device-bootstrap.ts component, where valid bootstrap codes can be reused multiple times before approval, enabling escalation of pending pairing scopes. This flaw, classified under CWE-294 (Authentication Bypass by Capture-replay), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact confidentiality, integrity, and availability effects.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By capturing and replaying a legitimate bootstrap setup code during the pairing process, adversaries can verify it repeatedly, bypassing intended one-time-use protections. Successful exploitation allows escalation of pairing scopes, including privilege escalation to the operator.admin role, potentially granting unauthorized administrative control over affected devices.
Mitigation is addressed in OpenClaw version 2026.3.13 and later, as detailed in the project's GitHub security advisory (GHSA-63f5-hhc7-cx6p) and the fixing commit (1803d16d5cec970c54b0e1ac46b31b1cbade335c). Security practitioners should upgrade to the patched version immediately and review the VulnCheck advisory for additional details on detection and remediation.
Details
- CWE(s)