What is the CVSS score of CVE-2026-32897?

CVE-2026-32897 has a CVSS 3.1 base score of 3.7 (Low). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.1%.

Is there a public PoC exploit available for CVE-2026-32897?

Yes, a public proof-of-concept exploit is available for CVE-2026-32897. Prioritise patching immediately. EPSS: 0.1%.

OpenClaw CVE-2026-32897

Q: Which versions of OpenClaw are affected by CVE-2026-32897?

CVE-2026-32897 is a low-severity vulnerability in OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback (CVSS 3.7).. A patch is available.

EUVD-2026-13974 LOW

Key Management Errors (CWE-320)

2026-03-21 VulnCheck

GHSA-8mr2-f9wf-hcfq

Information Disclosure

3.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

PoC Detected

Mar 24, 2026 - 21:07 vuln.today

Public exploit code

EUVD ID Assigned

Mar 21, 2026 - 01:00 euvd

EUVD-2026-13974

Analysis Generated

Mar 21, 2026 - 01:00 vuln.today

Patch released

Mar 21, 2026 - 01:00 nvd

Patch available

CVE Published

Mar 21, 2026 - 00:42 nvd

LOW 3.7

DescriptionNVD

OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use of authentication secrets across security domains. Attackers with access to system prompts sent to third-party model providers can derive the gateway authentication token from the hash outputs, compromising gateway authentication security.

AnalysisAI

OpenClaw versions prior to 2026.2.22 suffer from cryptographic secret reuse where the gateway authentication token is inappropriately reused as a fallback hashing secret for owner-ID obfuscation in system prompts sent to third-party model providers. An unauthenticated attacker with visibility into system prompts (such as through model provider logs, prompt injection, or interception) can reverse-engineer the gateway authentication token from hash outputs when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, directly compromising authentication security. …

RemediationAI

During next maintenance window: Apply vendor patches when convenient. Vendor patch is available.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-32897 vulnerability details – vuln.today

Back

OpenClaw CVE-2026-32897

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code