Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-32014

OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy
Back to all
CVE

CVE-2026-32014

OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy

Summary

A paired node device could reconnect with spoofed platform/deviceFamily metadata and broaden node command policy eligibility because reconnect metadata was accepted from the client while these fields were not bound into the device-auth signature.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.2.25
  • Latest published version at update time: 2026.2.25
  • Patched version (pre-set for next release): 2026.2.26

Impact

In configurations where node command policy differs by platform, an attacker with an already paired node identity on the trusted network could spoof reconnect metadata and gain access to commands that should remain blocked for the originally paired platform.

Fix

  • Add device-auth payload v3 that signs normalized platform and deviceFamily.
  • Verify v3 first (fallback to v2 for compatibility), while pinning paired metadata server-side.
  • Reject reconnect metadata mismatches and require explicit repair pairing to change pinned metadata.
  • Add regression coverage for reconnect spoof attempts.

Fix Commit(s)

  • 7d8aeaaf06e2e616545d2c2cec7fa27f36b59b6a

Release Process Note

patched_versions is pre-set to the planned next release 2026.2.26; once that npm release is published, the advisory can be published without further field edits.

OpenClaw thanks @76embiid21 for reporting.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.6
-
4.0
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
C
H
U
8
-
3.1
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-r65x-2hqr-j5hf, https://nvd.nist.gov/vuln/detail/CVE-2026-32014, https://github.com/openclaw/openclaw/commit/7d8aeaaf06e2e616545d2c2cec7fa27f36b59b6a, https://github.com/openclaw/openclaw, https://www.vulncheck.com/advisories/openclaw-node-reconnect-metadata-spoofing-via-unsigned-platform-fields

Severity

8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
8
EPSS Probability
0.00034%
EPSS Percentile
0.10044%
Introduced Version
0,2026.2.2,2026.1.29-beta.1,2026.1.27-beta.1,2026.1.20
Fix Available
2026.2.26

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading