CVE-2026-32039

MEDIUM

5.9

Descripcion

OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyped sender keys by forcing collisions with mutable identity values such as senderName or senderUsername to bypass sender-authorization policies and gain unauthorized access to privileged tools.

Detalles CVE

Puntuacion CVSS v3.15.9

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

Vector de ataqueNETWORK

ComplejidadHIGH

Privilegios requeridosLOW

Interaccion usuarioNONE

Publicado3/19/2026

Ultima modificacion3/20/2026

Fuentenvd

Avistamientos honeypot0

Debilidades (CWE)

CWE-639

Referencias

https://github.com/openclaw/openclaw/commit/5547a2275cb69413af3b62c795b93214fe913b57(disclosure@vulncheck.com)

https://github.com/openclaw/openclaw/security/advisories/GHSA-wpph-cjgr-7c39(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-via-identity-collision-in-toolsbysender(disclosure@vulncheck.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.