Description
OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role websocket client can exploit this by using the control-ui client identifier to skip pairing requirements and gain unauthorized access to node event execution flows.
Published: 2026-03-21
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch Immediately
AI Analysis

Impact

The vulnerability allows an attacker with access to an authenticated node‑role websocket client to set the client.id parameter to "control‑ui", bypassing the Control UI pairing mechanism. This bypass removes the required device identity verification and permits the attacker to execute node event flows without proper authorization. As a result, the attacker gains unauthorized control over the target node, potentially leading to malicious actions or data exposure.

Affected Systems

OpenClaw (OpenClaw) versions prior to 2026.2.25 are affected.

Risk and Exploitability

The CVSS score is 6, indicating a medium severity. No EPSS value is provided and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting low to moderate exploitation likelihood. The attack vector involves a network‑based websocket connection from an authenticated node role client; an attacker must first obtain valid credentials or use another vulnerability to gain node‑role access before exploiting the bypass. Once the bypass is achieved, the attacker can execute arbitrary node‑level event flows.

Generated by OpenCVE AI on March 21, 2026 at 06:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.25 or later.
  • Verify that the Control UI pairing mechanism requires proper device identity.
  • If upgrade is not immediately possible, restrict access to the node role websocket endpoint or disable the Control UI client.id feature.
  • Monitor system logs for unauthorized use of the client.id parameter.

Generated by OpenCVE AI on March 21, 2026 at 06:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vvgp-4c28-m3jm OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions
History

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role websocket client can exploit this by using the control-ui client identifier to skip pairing requirements and gain unauthorized access to node event execution flows.
Title OpenClaw < 2026.2.25 - Authentication Bypass via Control UI client.id Parameter
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-807
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-25T14:26:19.534Z

Reserved: 2026-03-10T19:48:47.516Z

Link: CVE-2026-32057

cve-icon Vulnrichment

Updated: 2026-03-23T16:47:10.779Z

cve-icon NVD

Status : Modified

Published: 2026-03-21T01:17:09.310

Modified: 2026-03-25T15:16:46.930

Link: CVE-2026-32057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:44:12Z

Weaknesses