Description
OpenClaw before 2026.3.12 contains an insufficient access control vulnerability in the /config and /debug command handlers that allows command-authorized non-owners to access owner-only surfaces. Attackers with command authorization can read or modify privileged configuration settings restricted to owners by exploiting missing owner-level permission checks.
Published: 2026-03-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: Unauthorized configuration access
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions before 2026.3.12 contain an insufficient access‑control flaw that allows users who possess command authorization but are not owners to read or modify configuration settings that should be restricted to owners only. The weakness is an access‑control violation (CWE‑863). The result is that a non‑owner can access or change privileged settings that should only be reachable by owners, potentially compromising the integrity of the configuration.

Affected Systems

The affected product is OpenClaw from OpenClaw. All releases prior to version 2026.3.12 are impacted. Systems using any earlier OpenClaw release should verify that the /config and /debug endpoints are protected or consider applying an update.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, inferred from the fact that the flaw is triggered by HTTP requests to exposed endpoints. Exploitation requires that an attacker already has command authorization, which may be available to ordinary users in some deployments. The absence of owner‑level checks makes the vulnerability exploitable under these conditions. Given the high severity and the relative ease of triggering the flaw via an authenticated session, immediate attention is warranted.

Generated by OpenCVE AI on March 29, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.12 or later

Generated by OpenCVE AI on March 29, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 29 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.12 contains an insufficient access control vulnerability in the /config and /debug command handlers that allows command-authorized non-owners to access owner-only surfaces. Attackers with command authorization can read or modify privileged configuration settings restricted to owners by exploiting missing owner-level permission checks.
Title OpenClaw < 2026.3.12 - Insufficient Access Control in /config and /debug Endpoints
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-29T12:44:19.939Z

Reserved: 2026-03-16T21:19:00.742Z

Link: CVE-2026-32914

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-29T13:16:59.767

Modified: 2026-03-29T13:16:59.767

Link: CVE-2026-32914

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:31:37Z

Weaknesses