Critical severity9.4NVD Advisory· Published Mar 31, 2026· Updated Apr 2, 2026

CVE-2026-32916

Description

OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative scopes. Remote unauthenticated requests to plugin-owned routes can invoke runtime.subagent methods to perform privileged gateway actions including session deletion and agent execution.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
openclawnpm	>= 2026.3.7, < 2026.3.11	2026.3.11

Affected products

OpenClaw/Openclaw
cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Range: >=2026.3.7,<2026.3.11

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-xw77-45gv-p728ghsaADVISORY
github.com/openclaw/openclaw/security/advisories/GHSA-xw77-45gv-p728nvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-32916ghsaADVISORY
www.vulncheck.com/advisories/openclaw-authorization-bypass-in-plugin-subagent-routes-via-synthetic-admin-scopesnvdThird Party AdvisoryWEB
github.com/openclaw/openclaw/releases/tag/v2026.3.11ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.611
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000