Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
OpenClaw version 2026.3.1 and earlier: Authorized users can access sensitive settings
CVE-2026-32051
Summary
Authenticated users with certain permissions can access and control sensitive features in OpenClaw. This means that an attacker with the wrong level of access can still make changes they shouldn't be able to. Update to OpenClaw version 2026.3.1 or later to fix this issue.
Original title
OpenClaw versions prior to 2026.3.1 contain an authorization mismatch vulnerability that allows authenticated callers with operator.write scope to invoke owner-only tool surfaces including gateway ...
Original description
OpenClaw versions prior to 2026.3.1 contain an authorization mismatch vulnerability that allows authenticated callers with operator.write scope to invoke owner-only tool surfaces including gateway and cron through agent runs in scoped-token deployments. Attackers with write-scope access can perform control-plane actions beyond their intended authorization level by exploiting inconsistent owner-only gating during agent execution.
nvd CVSS3.1
8.8
nvd CVSS4.0
8.7
Vulnerability type
CWE-863
Incorrect Authorization
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026