CVE-2026-32067
Authorization Bypass in OpenClaw Pairing-Store Enables Cross-Account Access
Publication date: 2026-03-21
Last updated on: 2026-03-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.26 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32067 is an authorization bypass vulnerability in OpenClaw versions prior to 2026.2.26. It occurs in the direct message (DM) pairing-store access control, where pairing approvals granted in one user account can be reused across multiple accounts in multi-account deployments. This means an attacker approved as a sender in one account can be automatically accepted in another account without explicit approval, bypassing authorization boundaries.
The root cause is insufficient scoping of pairing-store API calls by account, allowing cross-account reuse of pairing approvals. The vulnerability is classified under CWE-863 (Incorrect Authorization) and has a low severity rating.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to bypass authorization controls in multi-account OpenClaw deployments. Specifically, an attacker approved as a sender in one account can send direct messages to another account without explicit approval, potentially leading to unauthorized message delivery and cross-account data leakage.
Although the impact is rated low severity, it compromises the integrity of authorization boundaries between accounts, which could undermine trust and security in environments where multiple accounts are managed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for improper usage of pairing-store APIs that do not explicitly scope operations to a specific user account via an accountId parameter.
A static analysis script named `check-pairing-account-scope.mjs` is used within the OpenClaw project to scan the codebase for violations such as:
- Calls to `readChannelAllowFromStore` without an explicit third argument `accountId`.
- Usage of legacy APIs `readLegacyChannelAllowFromStore` and `readLegacyChannelAllowFromStoreSync` which are disallowed.
- Calls to `upsertChannelPairingRequest` where the first argument object lacks a defined, non-undefined `accountId` property.
This script excludes test files and reports violations with file paths and line numbers, failing the build if any are found.
To detect the vulnerability on your system, you can run this static analysis script if you have access to the OpenClaw source code, or audit your codebase for the above improper API usages.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves upgrading OpenClaw to version 2026.2.26 or later, where the vulnerability has been fixed.
The fix enforces strict account-scoped pairing reads and writes by requiring all pairing-store API calls to explicitly include an `accountId` parameter, preventing cross-account reuse of pairing approvals.
If upgrading is not immediately possible, review and refactor your code to:
- Replace legacy pairing-store API calls with account-scoped versions.
- Ensure all pairing-store API calls explicitly pass a valid `accountId`.
- Use helper functions like `createScopedPairingAccess` to scope pairing operations per account and channel.
Additionally, integrate the static analysis script `check-pairing-account-scope.mjs` into your build or CI process to prevent regressions.