CVE-2026-32036

Published: Mar 19, 2026 Last Modified: Mar 19, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 8,3
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
MEDIUM 6,5
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: low
Integrity: high
Availability: none

Description

AI Translation Available

OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allows remote attackers to bypass route authentication checks by manipulating /api/channels paths with encoded dot-segment traversal sequences. Attackers can craft alternate paths using encoded traversal patterns to access protected plugin channel routes when handlers normalize the incoming path, circumventing security controls.

289

Authentication Bypass by Alternate Name

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Bypass Protection Mechanism
Applicable Platforms
All platforms may be affected
View CWE Details
https://github.com/openclaw/openclaw/commit/258d615c45527ff…
https://github.com/openclaw/openclaw/commit/258d615c45527ffda37cecd08cd268f9746…
https://github.com/openclaw/openclaw/security/advisories/GH…
https://github.com/openclaw/openclaw/security/advisories/GHSA-mwxv-35wr-4vvj
https://www.vulncheck.com/advisories/openclaw-authenticatio…
https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-encoded…