CVE-2026-32970
Received Received - Intake
Credential Fallback Vulnerability in OpenClaw Enables Auth Bypass

Publication date: 2026-03-31

Last updated on: 2026-04-02

Assigner: VulnCheck

Description
OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are treated as unset, allowing fallback to remote credentials in local mode. Attackers can exploit misconfigured local auth references to cause CLI and helper paths to select incorrect credential sources, potentially bypassing intended local authentication boundaries.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32970
EUVD
EUVD-2026-17377
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-636 When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32970 is a credential fallback vulnerability in OpenClaw versions before 2026.3.11. When local authentication SecretRefs for gateway.auth.token and gateway.auth.password are configured but unavailable, the system incorrectly treats them as if they were not set at all. This causes the authentication process in local mode to fall back to using remote credentials instead of failing securely.

Attackers can exploit this misconfiguration to manipulate CLI and helper paths to select incorrect credential sources, potentially bypassing the intended local authentication boundaries. The issue is classified under CWE-636, meaning the system fails open rather than securely failing.

Impact Analysis

This vulnerability can allow attackers with local access and low privileges to bypass intended local authentication boundaries by causing the system to use remote credentials instead of local ones. This could lead to unauthorized access to resources or functions that should be protected by local authentication.

However, the overall severity is low (CVSS score 2.5), and no server-side gateway-authentication boundary bypass was confirmed. The attack complexity is high and user interaction is not required.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade OpenClaw to version 2026.3.11 or later.

This update fixes the credential fallback logic by ensuring that remote credential fallback in local mode only occurs if the corresponding local authentication input is truly unset, preventing fallback on unavailable but configured credentials.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

There is no specific information provided in the available resources about detection methods or commands to identify this vulnerability on your network or system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32970. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart