CVE-2026-32975
Received Received - Intake
Authorization Bypass in OpenClaw Zalouser Allowlist via Group Name Collision

Publication date: 2026-03-29

Last updated on: 2026-03-30

Assigner: VulnCheck

Description
OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can create groups with identical names to allowlisted groups to bypass channel authorization and route messages from unintended groups to the agent.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-29
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32975
EUVD
EUVD-2026-17014
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized groups to bypass channel authorization and potentially access or disclose information by exploiting weak authorization based on mutable group names instead of stable identifiers.

Such unauthorized access or information disclosure could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive data and protection against unauthorized disclosure.

Therefore, if exploited, this vulnerability could lead to violations of data protection and privacy requirements mandated by these regulations.

Executive Summary

CVE-2026-32975 is a weak authorization vulnerability in OpenClaw versions before 2026.3.12, specifically in the Zalouser allowlist mode.

The vulnerability occurs because the system uses mutable group display names instead of stable, immutable group identifiers to make authorization decisions.

Attackers can exploit this by creating groups with the same names as allowlisted groups, allowing them to bypass channel authorization controls.

This enables unauthorized groups to route messages to the agent, potentially leading to unauthorized access or information disclosure.

Impact Analysis

This vulnerability can allow attackers to bypass channel authorization by impersonating allowlisted groups through identical group names.

As a result, unauthorized messages from unintended groups can be routed to the agent, potentially leading to unauthorized access or disclosure of sensitive information.

The impact includes compromised confidentiality and integrity of communications within the affected system.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade OpenClaw to version 2026.3.12 or later.

This update fixes the weak authorization issue by enforcing allowlist authorization using stable, immutable group identifiers instead of mutable group display names.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32975. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart