Untriaged
Permalink
CVE-2026-32036
6.5 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): HIGH
- Availability impact (A): NONE
OpenClaw < 2026.2.26- Authentication Bypass via Encoded Dot-Segment Traversal in /api/channels
OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allows remote attackers to bypass route authentication checks by manipulating /api/channels paths with encoded dot-segment traversal sequences. Attackers can craft alternate paths using encoded traversal patterns to access protected plugin channel routes when handlers normalize the incoming path, circumventing security controls.
References
- GitHub Security Advisory (GHSA-mwxv-35wr-4vvj) third-party-advisory
- Patch Commit patch
- VulnCheck Advisory: OpenClaw < 2026.2.26- Authentication Bypass via Encoded Dot-Segment Traversal in /api/channels third-party-advisory
Affected products
OpenClaw
- ==2026.2.26
- <2026.2.26
Package maintainers
-
@chrisportela Chris Portela <chris@chrisportela.com>