Home / Vulnerability Intelligence / CVE-2026-32975

CVE-2026-32975 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 30, 2026

OpenClaw - Broken Access Control

Published: March 29, 2026Updated: March 30, 2026Remote Exploitable

Overview

OpenClaw before 2026.3.12 contains a broken access control vulnerability caused by matching mutable group display names instead of stable group identifiers in Zalouser allowlist mode, letting attackers bypass channel authorization and route messages from unintended groups, exploit requires attacker to create groups with identical names.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 5.9%(Probability of exploitation in next 30 days)

Impact

Attackers can bypass channel authorization to route messages from unintended groups, potentially leading to unauthorized data access or manipulation.

Mitigation

Update to version 2026.3.12 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 29, 2026

🔴 CVE-2026-32975 - Critical (9.8) OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can create groups with identical names to allowlisted groups t... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32975/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-32975
Severity: Critical
CVSS Score: 9.8
Type: broken_access_control
Status: confirmed
EPSS: 5.9%
Social Posts: 1

CWE

CWE-807

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

5.9%Probability of exploitation in the next 30 days