Vulnerability Description
OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role websocket client can exploit this by using the control-ui client identifier to skip pairing requirements and gain unauthorized access to node event execution flows.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.25 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/ec45c317f5d0631a3d333b236da58c4749edPatch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-vvgp-4c28-m3jmVendor Advisory
- https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-control-Third Party Advisory
FAQ
What is CVE-2026-32057?
CVE-2026-32057 is a vulnerability with a CVSS score of 7.1 (HIGH). OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity v...
How severe is CVE-2026-32057?
CVE-2026-32057 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32057?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.