CVE-2026-32975
Received Received - Intake

Authorization Bypass in OpenClaw Zalouser Allowlist via Group Name Collision

Vulnerability report for CVE-2026-32975, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-29

Last updated on: 2026-03-30

Assigner: VulnCheck

Description

OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can create groups with identical names to allowlisted groups to bypass channel authorization and route messages from unintended groups to the agent.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-29
Last Modified
2026-03-30
Generated
2026-07-06
AI Q&A
2026-03-29
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.12 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-32975 is a weak authorization vulnerability in OpenClaw versions before 2026.3.12, specifically in the Zalouser allowlist mode.

The vulnerability occurs because the system uses mutable group display names instead of stable, immutable group identifiers to make authorization decisions.

Attackers can exploit this by creating groups with the same names as allowlisted groups, allowing them to bypass channel authorization controls.

This enables unauthorized groups to route messages to the agent, potentially leading to unauthorized access or information disclosure.

Compliance Impact

The vulnerability allows unauthorized groups to bypass channel authorization and potentially access or disclose information by exploiting weak authorization based on mutable group names instead of stable identifiers.

Such unauthorized access or information disclosure could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive data and protection against unauthorized disclosure.

Therefore, if exploited, this vulnerability could lead to violations of data protection and privacy requirements mandated by these regulations.

Impact Analysis

This vulnerability can allow attackers to bypass channel authorization by impersonating allowlisted groups through identical group names.

As a result, unauthorized messages from unintended groups can be routed to the agent, potentially leading to unauthorized access or disclosure of sensitive information.

The impact includes compromised confidentiality and integrity of communications within the affected system.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade OpenClaw to version 2026.3.12 or later.

This update fixes the weak authorization issue by enforcing allowlist authorization using stable, immutable group identifiers instead of mutable group display names.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32975. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart