Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-32004

OpenClaw has encoded-path auth bypass in plugin `/api/channels` route classification
Back to all
CVE

CVE-2026-32004

OpenClaw has encoded-path auth bypass in plugin `/api/channels` route classification

Summary (Updated March 2, 2026)

Encoded alternate-path requests could bypass plugin route auth checks for /api/channels/* due to canonicalization depth mismatch in vulnerable builds.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published vulnerable version: 2026.3.1
  • Affected range: <= 2026.3.1
  • Patched release: 2026.3.2 (patched_versions: >= 2026.3.2)

Technical Details

In affected versions, plugin auth-path classification and route-path canonicalization could diverge for deeply encoded slash variants (for example multi-encoded %2f). That mismatch allowed alternate encoded paths to evade protected-prefix auth checks while still resolving to /api/channels/... in plugin route handling.

The fix set hardens this class of issue by:

  • canonicalizing route paths to a bounded fixpoint,
  • failing closed on malformed or unresolved canonicalization depth,
  • requiring explicit plugin-route auth contracts (no implicit auth default),
  • enforcing route ownership/conflict guards for duplicate route registrations, and
  • using shared webhook route lifecycle registration to avoid stale/conflicting route surfaces.

Affected Deployments

Deployments exposing plugin HTTP routes and relying on gateway auth for /api/channels/* protection.

Fix Commit(s)

  • 93b07240257919f770d1e263e1f22753937b80ea
  • 2fd8264ab03bd178e62a5f0c50d1c8556c17f12d
  • d74bc257d8432f17e50b23ae713d7e0623a1fe0f
  • 7a7eee920a176a0043398c6b37bf4cc6eb983eeb

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.3
-
4.0
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
C
H
U
-

Related Resources

No items found.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-v865-p3gq-hw6m, https://nvd.nist.gov/vuln/detail/CVE-2026-32004, https://github.com/openclaw/openclaw/commit/2fd8264ab03bd178e62a5f0c50d1c8556c17f12d, https://github.com/openclaw/openclaw/commit/7a7eee920a176a0043398c6b37bf4cc6eb983eeb, https://github.com/openclaw/openclaw/commit/93b07240257919f770d1e263e1f22753937b80ea, https://github.com/openclaw/openclaw/commit/d74bc257d8432f17e50b23ae713d7e0623a1fe0f, https://github.com/openclaw/openclaw, https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-encoded-path-in-api-channels-route

Severity

6.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
6.5
EPSS Probability
0.00095%
EPSS Percentile
0.26224%
Introduced Version
0
Fix Available
2026.3.2

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading