CVE-2026-32039

MEDIUM

5.9

Descricao

OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyped sender keys by forcing collisions with mutable identity values such as senderName or senderUsername to bypass sender-authorization policies and gain unauthorized access to privileged tools.

Detalhes CVE

Pontuacao CVSS v3.15.9

SeveridadeMEDIUM

Vetor CVSSCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

Vetor de ataqueNETWORK

ComplexidadeHIGH

Privilegios necessariosLOW

Interacao do usuarioNONE

Publicado3/19/2026

Ultima modificacao3/23/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

openclaw:openclaw

Fraquezas (CWE)

CWE-639

Referencias

https://github.com/openclaw/openclaw/commit/5547a2275cb69413af3b62c795b93214fe913b57(disclosure@vulncheck.com)

https://github.com/openclaw/openclaw/security/advisories/GHSA-wpph-cjgr-7c39(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-via-identity-collision-in-toolsbysender(disclosure@vulncheck.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.