CVE-2026-32067 OpenClaw CVE debrief

Who should care

Organizations running multi-account OpenClaw deployments with direct message pairing functionality enabled. Security teams responsible for authorization boundary enforcement in Node.js applications. Administrators managing cross-account access controls in messaging or communication platforms.

Technical summary

The vulnerability exists in OpenClaw's pairing-store access control mechanism for direct message pairing policy. In multi-account deployments, the system fails to properly isolate pairing approvals between accounts. An attacker who obtains sender approval in one account can have that approval automatically accepted when attempting to pair with another account, effectively reusing authorization credentials across account boundaries. This represents an incorrect authorization control (CWE-863) where the pairing store does not validate that approvals are scoped to the specific account context. The vulnerability requires network access, high attack complexity, privileged access, and user interaction per the CVSS 4.0 vector.

Defensive priority

LOW

Recommended defensive actions

• Upgrade to OpenClaw version 2026.2.26 or later to remediate the authorization bypass vulnerability in the pairing-store access control.
• Review multi-account deployment configurations to ensure proper authorization boundaries are enforced between accounts.
• Monitor for unauthorized cross-account pairing approvals in environments running affected versions.
• Apply patches referenced in vendor security advisory if immediate upgrade is not feasible.

Evidence notes

CVE published 2026-03-21; modified 2026-05-26. CVSS 4.0 score 2.0 (LOW). CPE indicates affected versions prior to 2026.2.26 on Node.js. Two patches committed to GitHub repository. Vendor advisory published via GitHub Security Advisories. Third-party advisory from VulnCheck.

Official resources