CVE-2026-32051
Authorization Bypass in OpenClaw Agent Enables Privilege Escalation
Publication date: 2026-03-21
Last updated on: 2026-03-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32051 is an authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1. It allows authenticated users who have operator.write scope to access and invoke owner-only tool functionalities, such as gateway and cron operations, through agent runs in scoped-token deployments.
The root cause is inconsistent enforcement of owner-only access restrictions during agent execution, which leads to a privilege escalation where users with write-scope access can perform control-plane actions beyond their intended authorization level.
This flaw is classified as a high-severity authorization bypass vulnerability and was fixed in OpenClaw version 2026.3.1 by enforcing strict owner-only gating and tightening tool scope classification.
How can this vulnerability impact me? :
This vulnerability can allow attackers with operator.write privileges to escalate their permissions and perform unauthorized control-plane actions, such as invoking owner-only tools like gateway and cron.
Such unauthorized actions can compromise the confidentiality, integrity, and availability of the system, potentially leading to significant security breaches.
Because the vulnerability can be exploited remotely over the network with low attack complexity and no user interaction, it poses a high risk to affected systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-32051, you should upgrade OpenClaw to version 2026.3.1 or later, where the authorization mismatch vulnerability has been fixed.
This update enforces consistent owner-only gating for sensitive tool surfaces such as gateway and cron during agent execution, eliminating the privilege escalation risk.