CVE-2026-32970

EPSS 0.02%
Veröffentlicht 31.03.2026 11:17:16
Zuletzt bearbeitet 02.04.2026 14:16:14
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are treated as unset, allowing fallback to remote credentials in local mode. Attackers can exploit misconfigured local auth references to cause CLI and helper paths to select incorrect credential sources, potentially bypassing intended local authentication boundaries.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

OpenClaw ≫ OpenClaw SwPlatformnode.js Version < 2026.3.11

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.041

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.3	1.8	1.4	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
disclosure@vulncheck.com	2	0	0	CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
disclosure@vulncheck.com	2.5	1	1.4	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-636 Not Failing Securely ('Failing Open')

When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.

https://github.com/openclaw/openclaw/security/advisories/GHSA-qvr7-g57c-mrc7

Vendor Advisory

https://www.vulncheck.com/advisories/openclaw-credential-fallback-logic-bypass-via-unavailable-local-auth-secretrefs

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-32970

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32970

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32970

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-32970