Vulnerability Description
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyped sender keys by forcing collisions with mutable identity values such as senderName or senderUsername to bypass sender-authorization policies and gain unauthorized access to privileged tools.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.22 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/5547a2275cb69413af3b62c795b93214fe91Patch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-wpph-cjgr-7c39Vendor Advisory
- https://www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-via-idThird Party Advisory
FAQ
What is CVE-2026-32039?
CVE-2026-32039 is a vulnerability with a CVSS score of 5.9 (MEDIUM). OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identif...
How severe is CVE-2026-32039?
CVE-2026-32039 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32039?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.