CVE-2026-32970
Credential Fallback Vulnerability in OpenClaw Enables Auth Bypass
Publication date: 2026-03-31
Last updated on: 2026-04-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-636 | When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32970 is a credential fallback vulnerability in OpenClaw versions before 2026.3.11. When local authentication SecretRefs for gateway.auth.token and gateway.auth.password are configured but unavailable, the system incorrectly treats them as if they were not set at all. This causes the authentication process in local mode to fall back to using remote credentials instead of failing securely.
Attackers can exploit this misconfiguration to manipulate CLI and helper paths to select incorrect credential sources, potentially bypassing the intended local authentication boundaries. The issue is classified under CWE-636, meaning the system fails open rather than securely failing.
How can this vulnerability impact me? :
This vulnerability can allow attackers with local access and low privileges to bypass intended local authentication boundaries by causing the system to use remote credentials instead of local ones. This could lead to unauthorized access to resources or functions that should be protected by local authentication.
However, the overall severity is low (CVSS score 2.5), and no server-side gateway-authentication boundary bypass was confirmed. The attack complexity is high and user interaction is not required.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to upgrade OpenClaw to version 2026.3.11 or later.
This update fixes the credential fallback logic by ensuring that remote credential fallback in local mode only occurs if the corresponding local authentication input is truly unset, preventing fallback on unavailable but configured credentials.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided in the available resources about detection methods or commands to identify this vulnerability on your network or system.