wid-sec-w-2026-0711 · Published 2026-03-12 · View on BSI CERT-Bund ↗

OpenClaw: Multiple Vulnerabilities

CVSS 9.4 CRITICAL

Risk Summary

OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative scopes. Remote unauthenticated requests to plugin-owned routes can invoke runtime.subagent methods to perform privileged gateway actions including session deletion and agent execution.

CVEs (20)

CVE-2026-32031 CVE-2026-32055 CVE-2026-32302 CVE-2026-32916 CVE-2026-32918 CVE-2026-32919 CVE-2026-32920 CVE-2026-32922 CVE-2026-32923 CVE-2026-32924 CVE-2026-32970 CVE-2026-32973 CVE-2026-32975 CVE-2026-32976 CVE-2026-32977 CVE-2026-32978 CVE-2026-32979 CVE-2026-33575 CVE-2026-34505 CVE-2026-34508

Affected Vendors

Open Source

Affected Products (2)

Open Source · OpenClaw <2026.3.12

Open Source · OpenClaw 2026.3.12

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more