CVE-2026-32975 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 29, 2026
OpenClaw - Broken Access Control
Published: March 29, 2026Updated: March 29, 2026Remote Exploitable
Overview
OpenClaw before 2026.3.12 contains a broken access control vulnerability caused by matching mutable group display names instead of stable group identifiers in Zalouser allowlist mode, letting attackers bypass channel authorization and route messages from unintended groups, exploit requires attacker to create groups with identical names.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Attackers can bypass channel authorization to route messages from unintended groups, potentially leading to unauthorized data access or manipulation.
Mitigation
Update to version 2026.3.12 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-32975
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_access_control
- Status
- new
CWE
- CWE-807
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H