Vulnerability Details CVE-2026-32014
OpenClaw versions prior to 2026.2.26 contain a metadata spoofing vulnerability where reconnect platform and deviceFamily fields are accepted from the client without being bound into the device-auth signature. An attacker with a paired node identity on the trusted network can spoof reconnect metadata to bypass platform-based node command policies and gain access to restricted commands.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 4.7%
CVSS Severity
CVSS v3 Score 8.0