Plattform
nodejs
Komponente
openclaw
Behoben in
2026.3.12
CVE-2026-32914 describes an insufficient access control vulnerability discovered in OpenClaw versions prior to 2026.3.12. This flaw allows command-authorized, non-owner users to access owner-only surfaces, potentially leading to unauthorized configuration modifications. The vulnerability impacts OpenClaw versions 0 through 2026.3.11, and a patch is available in version 2026.3.12.
The core of this vulnerability lies in the lack of proper owner-level permission checks within the /config and /debug command handlers in OpenClaw. An attacker possessing command authorization, but not ownership of the system, can exploit this deficiency to bypass access controls. This allows them to read sensitive configuration data, potentially revealing credentials or internal system details. More critically, the attacker could modify these configuration settings, altering the behavior of OpenClaw and potentially gaining further unauthorized access or control. The blast radius extends to any system running OpenClaw within the affected version range where an attacker has command authorization, making it a significant security concern. While not directly comparable to Log4Shell, the ability to manipulate configuration settings represents a serious privilege escalation pathway.
CVE-2026-32914 was published on March 29, 2026. Its severity is rated as High with a CVSS score of 8.8. Currently, there are no publicly known Proof-of-Concept (POC) exploits. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog or EPSS, suggesting a low to medium probability of active exploitation at this time. Monitor security advisories and threat intelligence feeds for any indications of exploitation attempts.
Organizations deploying OpenClaw in environments where command authorization is broadly granted are at risk. This includes systems with shared accounts or where user access controls are not strictly enforced. Environments utilizing OpenClaw for critical infrastructure or sensitive data processing are particularly vulnerable.
disclosure
Exploit-Status
EPSS
0.05% (14% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-32914 is to immediately upgrade OpenClaw to version 2026.3.12 or later. Prior to upgrading, it is crucial to back up the existing configuration files to facilitate a rollback if the upgrade introduces unforeseen compatibility issues. If an immediate upgrade is not feasible, consider implementing stricter command authorization policies to limit the number of users with elevated privileges. While a direct WAF rule is unlikely to be effective, carefully reviewing and restricting access to the /config and /debug endpoints based on user roles could provide a temporary layer of defense. After upgrading to 2026.3.12, verify the fix by attempting to access owner-only configuration settings with a non-owner account; access should be denied.
Aktualisieren Sie OpenClaw auf Version 2026.3.12 oder höher. Diese Version behebt die Schwachstelle unzureichender Zugriffskontrolle an den Endpunkten /config und /debug, wodurch unautorisierten Benutzern der Zugriff auf privilegierte Konfigurationen verwehrt wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32914 is a HIGH severity vulnerability in OpenClaw versions 0–2026.3.12 that allows unauthorized users to access and modify privileged configuration settings.
You are affected if you are running OpenClaw versions 0 through 2026.3.11. Upgrade to 2026.3.12 to mitigate the risk.
Upgrade OpenClaw to version 2026.3.12 or later. As a temporary workaround, restrict access to the /config and /debug endpoints.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests potential for future exploitation.
Refer to the OpenClaw project's official website and security advisories for the latest information and updates regarding CVE-2026-32914.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.