What is CVE-2026-32039?

CVE-2026-32039 is a medium-severity vulnerability in Openclaw, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 5.9/10. Published 2026-03-19.

How severe is CVE-2026-32039?

Medium severity. CVSS v3 base score is 5.9 out of 10.

Auth bypass in Openclaw

CVE-2026-32039

OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can ex…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (9.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.9 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N.

Affected products

Openclaw — versions 0, 2026.2.22

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

GitHub Security Advisory (GHSA-wpph-cjgr-7c39) (third-party-advisory)
Patch Commit (patch)
VulnCheck Advisory: OpenClaw < 2026.2.22 - Sender Authorization Bypass via Identity Collision in toolsBySender (third-party-advisory)

Frequently asked questions

What is CVE-2026-32039?: CVE-2026-32039 is a medium-severity vulnerability in Openclaw, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 5.9/10. Published 2026-03-19.
How severe is CVE-2026-32039?: Medium severity. CVSS v3 base score is 5.9 out of 10.