平台
nodejs
组件
openclaw
修复版本
2026.2.22
2026.2.22
CVE-2026-32039 affects the openclaw npm package, specifically concerning how it handles sender policies. A collision can occur when deployments use untyped keys, allowing a malicious sender to potentially bypass intended restrictions. This vulnerability impacts versions up to and including 2026.2.21-2. The issue has been resolved with the release of version 2026.2.22.
The core of this vulnerability lies in the way openclaw manages sender identities. The channels..groups..toolsBySender configuration setting could be manipulated by an attacker using a colliding mutable identity value, such as a shared senderName or senderUsername. This effectively allows a malicious sender to masquerade as a privileged sender, potentially gaining unauthorized access to resources or performing actions they shouldn't be able to. The impact is a potential bypass of sender policy controls, leading to unauthorized actions within the system. While the specific blast radius depends on the privileges associated with the targeted sender policy, successful exploitation could lead to significant data breaches or system compromise.
CVE-2026-32039 was published on March 3, 2026. Severity is assessed as MEDIUM (CVSS 5.9). Currently, there are no publicly known Proof-of-Concept (POC) exploits. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of active exploitation at this time. Monitor security advisories and threat intelligence feeds for any indications of exploitation attempts.
漏洞利用状态
EPSS
0.02% (6% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-32039 is to upgrade the openclaw npm package to version 2026.2.22 or later. This version introduces explicit typed sender keys (id:, e164:, username:, name:) to prevent collisions. For environments where immediate upgrading is not feasible, consider temporarily migrating to the deprecated ID-only path for legacy untyped keys, although this is not a long-term solution. Review and tighten sender policy configurations to minimize the potential impact of a successful attack. After upgrading, confirm the fix by testing sender policy enforcement with various sender identities, ensuring that only authorized senders can access protected resources.
Actualice OpenClaw a la versión 2026.2.22 o posterior. Esta versión corrige la vulnerabilidad de omisión de autorización mediante la validación adecuada de las identidades de los remitentes.
漏洞分析和关键警报直接发送到您的邮箱。
It's a vulnerability in the OpenClaw npm package where collisions in sender policies can occur due to untyped keys, potentially allowing unauthorized access.
If you are using OpenClaw versions 2026.2.21-2 or earlier, you are potentially affected by this vulnerability.
Upgrade the OpenClaw npm package to version 2026.2.22 or later to resolve the issue. Consider temporary workarounds if immediate upgrade is not possible.
Currently, there are no publicly known exploits or active campaigns targeting this vulnerability, but monitoring is still recommended.
Refer to the official npm package page for OpenClaw and consult security advisories for updates and further information.