CVE-2026-32025 in OpenClaw
Summary
by MITRE • 03/20/2026
OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform password brute-force attacks against the gateway to establish an authenticated operator session and invoke control-plane methods.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability identified as CVE-2026-32025 represents a critical authentication weakness in OpenClaw versions before 2026.2.25 that specifically affects browser-based WebSocket client implementations. This flaw creates a significant security gap in the authentication hardening mechanisms that should protect loopback deployments from unauthorized access attempts. The vulnerability stems from insufficient validation of WebSocket client origins and inadequate enforcement of authentication throttling mechanisms, which together create an exploitable condition that undermines the security posture of the affected systems.
The technical implementation of this vulnerability involves a failure in the WebSocket origin validation process where browser clients fail to properly verify the originating domain of WebSocket connections. This weakness allows attackers to craft malicious web pages that can establish WebSocket connections to the OpenClaw gateway without proper authentication enforcement. The flaw specifically impacts loopback deployments where the gateway operates on localhost or 127.0.0.1 interfaces, making it particularly dangerous in development environments or when the gateway is configured to accept loopback connections. The authentication throttling mechanism that should prevent rapid successive authentication attempts is bypassed, enabling attackers to conduct password brute-force operations against the gateway's authentication interface.
The operational impact of this vulnerability extends beyond simple unauthorized access attempts to encompass complete control plane compromise. An attacker who successfully exploits this vulnerability can establish authenticated operator sessions with full administrative privileges, allowing them to invoke any control-plane methods available within the OpenClaw system. This includes potentially destructive operations such as modifying system configurations, accessing sensitive data, or executing arbitrary commands on the underlying infrastructure. The attack vector leverages social engineering techniques through malicious web pages that trick users into opening compromised content, making it particularly challenging to defend against through traditional network security measures.
Security professionals should recognize this vulnerability as aligning with CWE-346 Origin Validation Error, which specifically addresses the failure to properly validate the origin of requests in web applications. The flaw also maps to ATT&CK technique T1110.003 Brute Force, as it enables automated password guessing attacks against the authentication interface. Additionally, the bypass of authentication throttling mechanisms relates to CWE-307 Unrestricted Authentication Attempts, which describes insufficient protections against repeated authentication attempts. Organizations should implement immediate mitigations including upgrading to OpenClaw version 2026.2.25 or later, implementing proper WebSocket origin validation, enforcing strict authentication throttling, and conducting security awareness training to prevent users from visiting malicious websites that could exploit this vulnerability. Network segmentation and monitoring of WebSocket traffic should also be implemented to detect and prevent unauthorized access attempts.