What is CVE-2026-32034?

CVE-2026-32034 is a high-severity vulnerability in Openclaw, classified under OS Command Injection. CVSS score: 8.1/10. Published 2026-03-19.

How severe is CVE-2026-32034?

High severity. CVSS v3 base score is 8.1 out of 10.

RCE in Openclaw

CVE-2026-32034

OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.001 (29.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H.

Affected products

Openclaw — versions 0, 2026.2.21

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

GitHub Security Advisory (GHSA-3cvx-236h-m9fj) (third-party-advisory)
Patch Commit (patch)
VulnCheck Advisory: OpenClaw < 2026.2.21 - Insecure Control UI Authentication over Plaintext HTTP (third-party-advisory)

Frequently asked questions

What is CVE-2026-32034?: CVE-2026-32034 is a high-severity vulnerability in Openclaw, classified under OS Command Injection. CVSS score: 8.1/10. Published 2026-03-19.
How severe is CVE-2026-32034?: High severity. CVSS v3 base score is 8.1 out of 10.