What is the CVSS score of CVE-2026-32899?

CVE-2026-32899 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Openclaw are affected by CVE-2026-32899?

CVE-2026-32899 presents moderate security risk, a incorrect authorization vulnerability rated CVSS 4.3. Attackers could gain access beyond their authorized level.. A patch is available.

Is there a public PoC exploit available for CVE-2026-32899?

Yes, a public proof-of-concept exploit is available for CVE-2026-32899. Prioritise patching immediately. EPSS: 0.0%.

Openclaw CVE-2026-32899

EUVD-2026-13978 MEDIUM

Incorrect Authorization (CWE-863)

2026-03-21 VulnCheck

Authentication Bypass Openclaw

4.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

4.3 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

PoC Detected

Mar 24, 2026 - 21:06 vuln.today

Public exploit code

EUVD ID Assigned

Mar 21, 2026 - 01:00 euvd

EUVD-2026-13978

Analysis Generated

Mar 21, 2026 - 01:00 vuln.today

Patch released

Mar 21, 2026 - 01:00 nvd

Patch available

CVE Published

Mar 21, 2026 - 00:42 nvd

MEDIUM 4.3

DescriptionCVE.org

OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction_* and pin_* non-message events before adding them to system-event context. Attackers can bypass configured DM policies and channel user allowlists to inject unauthorized reaction and pin events from restricted senders.

AnalysisAI

OpenClaw fails to consistently apply sender-policy checks to reaction and pin event handlers, allowing authenticated attackers to bypass configured direct message policies and channel user allowlists by injecting unauthorized events from restricted senders. The vulnerability affects OpenClaw versions prior to 2026.2.25, requires low privileges (authenticated user), and enables unauthorized event injection with moderate severity (CVSS 4.3). …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS 4.3 score reflects a low-to-moderate severity profile with network attack vector, low complexity, and low privilege requirements, but limited impact (integrity only, no confidentiality or availability impact). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated attacker in an OpenClaw workspace can craft reaction_* or pin_* events spoofing a restricted sender (one blocked by configured DM policies or channel allowlists) and inject these events into the system-event context, bypassing the intended access controls. Since the attack requires only network access and low privileges (existing user account), an insider or compromised low-privilege account can bypass channel member restrictions and DM policies in under a minute by sending malformed or manipulated event payloads. …
Remediation	Upgrade OpenClaw to version 2026.2.25 or later to apply the sender-policy validation fixes implemented in commits aedf62ac7e669a89c7b295201bf6537dc6b12e0e and 75dfb71e4e8b7c2feba5a8ca662f92ea840e0147. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53836 HIGH This Week

8.7 Jun 12

Remote code execution in OpenClaw before 2026.5.12 allows authenticated operators to bypass the PowerShell execution all

CVE-2026-53822 HIGH This Week

8.7 Jun 12

Command injection in OpenClaw before 2026.5.18 allows authenticated attackers to modify shell wrapper argv between appro

CVE-2026-53819 HIGH This Week

8.7 Jun 11

Arbitrary code execution in OpenClaw before 2026.5.27 lets attackers hijack the Homebrew executable resolved during skil

CVE-2026-53817 HIGH This Week

8.7 Jun 11

Authentication bypass in OpenClaw before 2026.5.22 allows authenticated network attackers to spoof locality information

CVE-2026-53821 HIGH This Week

8.7 Jun 12

Privilege escalation in OpenClaw before 2026.5.18 allows WebSocket-connected Control UI clients to claim operator.admin

CVE-2026-32899 vulnerability details – vuln.today

Back

Openclaw CVE-2026-32899

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code