Platform
nodejs
Component
openclaw
Fixed in
2026.2.22
2026.2.22
CVE-2026-32039 affects the openclaw npm package, specifically concerning how it handles sender policies. A collision can occur when deployments use untyped keys, allowing a malicious sender to potentially bypass intended restrictions. This vulnerability impacts versions up to and including 2026.2.21-2. The issue has been resolved with the release of version 2026.2.22.
The core of this vulnerability lies in the way openclaw manages sender identities. The channels..groups..toolsBySender configuration setting could be manipulated by an attacker using a colliding mutable identity value, such as a shared senderName or senderUsername. This effectively allows a malicious sender to masquerade as a privileged sender, potentially gaining unauthorized access to resources or performing actions they shouldn't be able to. The impact is a potential bypass of sender policy controls, leading to unauthorized actions within the system. While the specific blast radius depends on the privileges associated with the targeted sender policy, successful exploitation could lead to significant data breaches or system compromise.
CVE-2026-32039 was published on March 3, 2026. Severity is assessed as MEDIUM (CVSS 5.9). Currently, there are no publicly known Proof-of-Concept (POC) exploits. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of active exploitation at this time. Monitor security advisories and threat intelligence feeds for any indications of exploitation attempts.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32039 is to upgrade the openclaw npm package to version 2026.2.22 or later. This version introduces explicit typed sender keys (id:, e164:, username:, name:) to prevent collisions. For environments where immediate upgrading is not feasible, consider temporarily migrating to the deprecated ID-only path for legacy untyped keys, although this is not a long-term solution. Review and tighten sender policy configurations to minimize the potential impact of a successful attack. After upgrading, confirm the fix by testing sender policy enforcement with various sender identities, ensuring that only authorized senders can access protected resources.
Update OpenClaw to version 2026.2.22 or later. This version fixes the authorization bypass vulnerability by properly validating sender identities.
Vulnerability analysis and critical alerts directly to your inbox.
It's a vulnerability in the OpenClaw npm package where collisions in sender policies can occur due to untyped keys, potentially allowing unauthorized access.
If you are using OpenClaw versions 2026.2.21-2 or earlier, you are potentially affected by this vulnerability.
Upgrade the OpenClaw npm package to version 2026.2.22 or later to resolve the issue. Consider temporary workarounds if immediate upgrade is not possible.
Currently, there are no publicly known exploits or active campaigns targeting this vulnerability, but monitoring is still recommended.
Refer to the official npm package page for OpenClaw and consult security advisories for updates and further information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.