CVE-2026-32916 CRITICAL

CVE-2026-32916: OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes

Vendor Openclaw
Product OpenClaw
Weakness CWE-266
Published March 31, 2026
Last update March 31, 2026

CVSS base score

9.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative scopes. Remote unauthenticated requests to plugin-owned routes can invoke runtime.subagent methods to perform privileged gateway actions including session deletion and agent execution.

Key dates

02Disclosure timeline

March 31, 2026 CVE published
March 31, 2026 Record updated