High severityNVD Advisory· Published Mar 19, 2026· Updated Mar 20, 2026

OpenClaw < 2026.2.26- Authentication Bypass via Encoded Dot-Segment Traversal in /api/channels

CVE-2026-32036

Description

OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allows remote attackers to bypass route authentication checks by manipulating /api/channels paths with encoded dot-segment traversal sequences. Attackers can craft alternate paths using encoded traversal patterns to access protected plugin channel routes when handlers normalize the incoming path, circumventing security controls.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
openclawnpm	< 2026.2.26	2026.2.26

Affected products

OpenClaw/Openclawv5
Range: 0

Patches

258d615c4552

https://github.com/openclaw/openclawvia ghsa

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/openclaw/openclaw/commit/258d615c45527ffda37cecd08cd268f97461bde0ghsapatchWEB
github.com/advisories/GHSA-mwxv-35wr-4vvjghsaADVISORY
github.com/openclaw/openclaw/security/advisories/GHSA-mwxv-35wr-4vvjghsathird-party-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-32036ghsaADVISORY
www.vulncheck.com/advisories/openclaw-authentication-bypass-via-encoded-dot-segment-traversal-in-api-channelsghsathird-party-advisoryWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000