CVE-2026-32039
MEDIUM
GHSA-wpph-cjgr-7c39
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
3Description
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyped sender keys by forcing collisions with mutable identity values such as senderName or senderUsername to bypass sender-authorization policies and gain unauthorized access to privileged tools.
Analysis
OpenClaw versions before 2026.2.22 allow authenticated attackers to bypass sender authorization checks through identifier collision attacks, enabling them to gain unauthorized access to privileged tools. By exploiting untyped sender keys and forcing collisions with mutable identity fields like senderName or senderUsername, attackers can inherit elevated permissions not granted to their account. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running an authorization bypass vulnerability in the toolsBySender g and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today