Platform
nodejs
Component
openclaw
Fixed in
2026.3.12
CVE-2026-32914 describes an insufficient access control vulnerability discovered in OpenClaw versions prior to 2026.3.12. This flaw allows command-authorized, non-owner users to access owner-only surfaces, potentially leading to unauthorized configuration modifications. The vulnerability impacts OpenClaw versions 0 through 2026.3.11, and a patch is available in version 2026.3.12.
An attacker exploiting this vulnerability could gain unauthorized access to and modification of privileged configuration settings within OpenClaw. This could involve altering system behavior, disabling security features, or even gaining control over the entire system if the configuration settings directly influence core functionality. The impact is particularly severe because the vulnerability requires only command authorization, a relatively low barrier to entry for attackers already present on the network. The ability to modify configuration settings could allow for persistent backdoors or the disruption of critical services.
CVE-2026-32914 was publicly disclosed on 2026-03-29. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's relatively straightforward nature suggests that it may be exploited in the future. The EPSS score is likely to be assessed as medium, given the potential impact and the lack of public exploits.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32914 is to immediately upgrade OpenClaw to version 2026.3.12 or later. If upgrading is not immediately feasible due to compatibility concerns or system downtime requirements, consider implementing stricter access controls on the /config and /debug endpoints. This could involve restricting access to these endpoints based on user roles or IP addresses. While not a complete fix, this can reduce the attack surface. Monitor system logs for unusual activity related to these endpoints, specifically looking for unauthorized access attempts. After upgrading, confirm the fix by attempting to access owner-only configuration settings with a non-owner account; access should be denied.
Update OpenClaw to version 2026.3.12 or later. This version fixes the insufficient access control vulnerability in the /config and /debug endpoints, preventing unauthorized users from accessing privileged configurations.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32914 is a HIGH severity vulnerability in OpenClaw versions 0–2026.3.12 that allows unauthorized users to access and modify privileged configuration settings.
You are affected if you are running OpenClaw versions 0 through 2026.3.11. Upgrade to 2026.3.12 to mitigate the risk.
Upgrade OpenClaw to version 2026.3.12 or later. As a temporary workaround, restrict access to the /config and /debug endpoints.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests potential for future exploitation.
Refer to the OpenClaw project's official website and security advisories for the latest information and updates regarding CVE-2026-32914.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.