Description
OpenClaw versions prior to 2026.2.26 server-http contains an authentication bypass vulnerability in gateway authentication for plugin channel endpoints due to path canonicalization mismatch between the gateway guard and plugin handler routing. Attackers can bypass authentication by sending requests with alternative path encodings to access protected plugin channel APIs without proper gateway authentication.
Published: 2026-03-19
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass to protected plugin channel APIs
Action: Immediate Patch
AI Analysis

Impact

OpenClaw server-http uses a gateway authentication guard that is intended to protect plugin channel endpoints. A mismatch in path canonicalization between the guard and the plugin handler routing allows an attacker to encode the request path differently and bypass the guard, thus gaining access to the protected APIs without authenticating. This flaw results in an authentication bypass that can expose private data or allow unintended API calls.

Affected Systems

All OpenClaw installations running a version earlier than 2026.2.26 are affected. The vulnerability affects the OpenClaw product, specifically the gateway handling of API channel endpoints, as documented by the vulnerability advisories linked above.

Risk and Exploitability

The CVSS v3 score is 6.3, indicating a medium severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog. The attack vector is remote over the network; an attacker only needs to send a specially crafted request with an encoded path to trigger the bypass. No authentication required, no privilege escalation beyond the scope of the API. The vulnerability could be exploited by malicious actors to access proprietary plugin data or execute unintended operations. The risk is moderate but mitigated by applying the latest patch.

Generated by OpenCVE AI on March 19, 2026 at 23:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.26 or later, ensuring the gateway and plugin handler path handling are aligned.
  • If an immediate upgrade is not possible, restrict external access to the /api/channels endpoints to trusted IPs or networks.
  • Monitor application logs for unusual access patterns to the /api/channels endpoints and review for potential unauthorized usage.

Generated by OpenCVE AI on March 19, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8j2w-6fmm-m587 OpenClaw: /api/channels gateway-auth boundary bypass via path canonicalization mismatch
History

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.26 server-http contains an authentication bypass vulnerability in gateway authentication for plugin channel endpoints due to path canonicalization mismatch between the gateway guard and plugin handler routing. Attackers can bypass authentication by sending requests with alternative path encodings to access protected plugin channel APIs without proper gateway authentication.
Title OpenClaw < 2026.2.26 - Authentication Bypass via Path Canonicalization Mismatch in /api/channels Gateway
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-288
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-20T18:09:48.362Z

Reserved: 2026-03-10T19:48:43.187Z

Link: CVE-2026-32031

cve-icon Vulnrichment

Updated: 2026-03-20T18:02:14.408Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:38.550

Modified: 2026-03-23T15:05:47.203

Link: CVE-2026-32031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T10:44:22Z

Weaknesses