CVE-2026-32067 LOW

CVE-2026-32067: OpenClaw < 2026.2.26 - Cross-Account Authorization Bypass in DM Pairing Store

Vendor Openclaw
Product OpenClaw
Weakness CWE-863 · Incorrect authorization
Published March 21, 2026
Last update May 26, 2026

CVSS base score

2.0/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can be automatically accepted in another account in multi-account deployments without explicit approval, bypassing authorization boundaries.

Key dates

02Disclosure timeline

March 21, 2026 CVE published
May 26, 2026 Record updated