CVE-2026-32004
Authentication Bypass in OpenClaw /api/channels via Encoding Flaw
Publication date: 2026-03-19
Last updated on: 2026-03-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions prior to 2026.3.2 and involves an authentication bypass in the /api/channels route. The issue arises due to a mismatch in how the system classifies the authentication path versus how it canonicalizes the route path. Attackers can exploit this by submitting deeply encoded slash variants, such as multi-encoded %2f characters, to bypass authentication checks and gain unauthorized access to protected /api/channels endpoints.
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass authentication controls and access protected API endpoints without proper authorization. This could lead to unauthorized access to sensitive data or functionality within the OpenClaw system, potentially compromising the integrity and confidentiality of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know