Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32057 is an authentication bypass vulnerability in OpenClaw versions prior to 2026.2.25. It occurs in the trusted-proxy Control UI pairing mechanism, where the system accepts the client.id parameter set to "control-ui" without properly verifying the device identity.'}, {'type': 'paragraph', 'content': 'An authenticated websocket client with a node role can exploit this flaw by using the control-ui client identifier to bypass the pairing requirements. This allows unauthorized access to node event execution flows, effectively bypassing expected security controls.'}, {'type': 'paragraph', 'content': 'The root cause is reliance on untrusted input (client.id) in a security decision, classified as CWE-807.'}] [1, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with authenticated node role websocket access to bypass pairing and device identity verification, gaining unauthorized access to node event execution flows.

Such unauthorized access can lead to unauthorized execution of node events, potentially compromising the integrity of the system by allowing actions that should require higher privileges.

The CVSS v4 base score of 6.0 indicates a moderate severity with a network attack vector, low attack complexity, and partial attack type, requiring low privileges and no user interaction.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring websocket client connections that use the client.id value "control-ui" with a node role, which bypasses the expected pairing process and device identity verification.'}, {'type': 'paragraph', 'content': 'You can look for websocket sessions where the client.id is set to "control-ui" but the role is "node" instead of "operator". Such connections indicate an attempt to exploit the authentication bypass.'}, {'type': 'paragraph', 'content': 'Commands to detect this might include inspecting websocket connection logs or network traffic for suspicious client.id values and roles. For example, using network packet capture tools like tcpdump or Wireshark to filter websocket traffic and grep for client.id=control-ui.'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port <websocket_port>' | grep 'client.id=control-ui'"}, {'type': 'list_item', 'content': 'Analyze application logs for websocket authentication attempts where the role is "node" but client.id is "control-ui".'}] [1, 2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade OpenClaw to version 2026.2.25 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'The fix enforces that only clients with the "operator" role can authenticate via the trusted-proxy Control UI pairing mechanism, preventing node role clients from bypassing authentication.'}, {'type': 'paragraph', 'content': 'Until the upgrade can be applied, restrict access to the trusted-proxy Control UI websocket endpoint to trusted networks or hosts, and monitor for suspicious client.id usage as described.'}, {'type': 'paragraph', 'content': 'Review and enhance logging and alerting on authentication attempts that use the client.id "control-ui" with roles other than "operator".'}] [1, 2, 3]

Useful 0 Not Useful 0