CVE-2026-32001
⚪ Do wiadomości
Obejście uwierzytelnienia w OpenClaw umożliwia atakującym przejęcie roli węzła, co pozwala na nieautoryzowane wywołania zdarzeń.
CVSS
5.4
EPSS
0.1%
Exploit
none
Vendor
openclaw
Opis źródłowy (NVD)
OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clients authenticated with a shared gateway token to connect as role=node without device identity verification. Attackers can exploit this by claiming the node role during WebSocket handshake to inject unauthorized node.event calls, triggering agent.request and voice.transcript flows without proper device pairing.
auth-bypass
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 5.4 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.1% |
| Opublikowano (NVD) | 2026-03-19 22:16:32 UTC |
| Ostatnia modyfikacja (NVD) | 2026-03-23 18:51:27 UTC |
Referencje
- https://github.com/openclaw/openclaw/commit/ddcb2d79b17bf2a42c5037d8aeff1537a12b931e (disclosure@vulncheck.com) [Patch]
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rv2q-f2h5-6xmg (disclosure@vulncheck.com) [Patch, Vendor Advisory]
- https://www.vulncheck.com/advisories/openclaw-node-role-device-identity-bypass-via-websocket-authentication (disclosure@vulncheck.com) [Third Party Advisory]