CVE-2026-32975
Authorization Bypass in OpenClaw Zalouser Allowlist via Group Name Collision
Publication date: 2026-03-29
Last updated on: 2026-03-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-807 | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized groups to bypass channel authorization and potentially access or disclose information by exploiting weak authorization based on mutable group names instead of stable identifiers.
Such unauthorized access or information disclosure could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive data and protection against unauthorized disclosure.
Therefore, if exploited, this vulnerability could lead to violations of data protection and privacy requirements mandated by these regulations.
Can you explain this vulnerability to me?
CVE-2026-32975 is a weak authorization vulnerability in OpenClaw versions before 2026.3.12, specifically in the Zalouser allowlist mode.
The vulnerability occurs because the system uses mutable group display names instead of stable, immutable group identifiers to make authorization decisions.
Attackers can exploit this by creating groups with the same names as allowlisted groups, allowing them to bypass channel authorization controls.
This enables unauthorized groups to route messages to the agent, potentially leading to unauthorized access or information disclosure.
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass channel authorization by impersonating allowlisted groups through identical group names.
As a result, unauthorized messages from unintended groups can be routed to the agent, potentially leading to unauthorized access or disclosure of sensitive information.
The impact includes compromised confidentiality and integrity of communications within the affected system.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to upgrade OpenClaw to version 2026.3.12 or later.
This update fixes the weak authorization issue by enforcing allowlist authorization using stable, immutable group identifiers instead of mutable group display names.