Vulnerability DatabaseCVE-2026-32036
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-32036
March 19, 2026
OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allows remote attackers to bypass route authentication checks by manipulating /api/channels paths with encoded dot-segment traversal sequences. Attackers can craft alternate paths using encoded traversal patterns to access protected plugin channel routes when handlers normalize the incoming path, circumventing security controls.
Affected Packages
openclaw (NPM):
Affected version(s) >=0.0.1 <2026.2.26
Fix Suggestion:
Update to version 2026.2.26
Related ResourcesĀ (5)
https://github.com/openclaw/openclaw
https://github.com/openclaw/openclaw/security/advisories/GHSA-mwxv-35wr-4vvj
https://nvd.nist.gov/vuln/detail/CVE-2026-32036
https://github.com/openclaw/openclaw/commit/258d615c45527ffda37cecd08cd268f97461bde0
https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-encoded-dot-segment-traversal-in-api-channels
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22
Authentication Bypass by Alternate Name
CWE-289
EPSS
Base Score:
0.06