OpenClaw Patches Five Critical Vulnerabilities Enabling Privilege Escalation and RCE

OpenClaw, the widely adopted open-source device orchestration and messaging gateway framework, has released a series of emergency patches addressing five distinct security vulnerabilities that span privilege escalation, authorization bypass, and remote code execution attack vectors. The affected versions range from 2026.3.10 and earlier, with fixes rolling out across versions 2026.3.11, 2026.3.12, and 2026.3.13. The severity of these flaws makes them a serious concern for any organization running OpenClaw in production environments, particularly those relying on its device pairing infrastructure, messaging integrations, or execution allowlists. Security researchers disclosed these issues through coordinated responsible disclosure, and OpenClaw maintainers have responded with staggered patch releases over the past few weeks. This article breaks down each vulnerability, explains the underlying technical flaw, and provides guidance on what teams should prioritize when planning their upgrade path.

What Is OpenClaw and Why Does This Matter

OpenClaw serves as a bridge between IoT device management, messaging platform integrations (Feishu, Zalo, and others), and controlled command execution on remote nodes. Its modular architecture lets operators define scoped tokens, allowlisted commands, and channel-based authorization rules. Organizations deploy it to coordinate device fleets, route messages between internal chat platforms and automated agents, and execute remote operations on paired nodes under strict scope constraints.

The five vulnerabilities disclosed in this patch cycle target each of these core trust boundaries:

• Device token scoping — controls what permissions paired devices receive during token rotation (CVE-2026-32922).
• Messaging event classification — determines whether incoming Feishu events are treated as private or group conversations (CVE-2026-32924).
• Execution allowlists — restricts which commands remote nodes can run via system.run on POSIX systems (CVE-2026-32973).
• Channel authorization — gates which Zalo messaging groups can interact with the automated agent (CVE-2026-32975).
• Bootstrap verification — ensures device pairing setup codes are consumed exactly once during onboarding (CVE-2026-32987).

When any of these boundary enforcement mechanisms fail, the consequences cascade quickly. A broken scope constraint means an attacker doesn't just read data they shouldn't — they mint tokens that give them full administrative control. A miscategorized chat event doesn't just leak a message — it bypasses every protection the operator configured for group conversations. These five CVEs collectively expose weaknesses across OpenClaw's core trust boundaries.

CVE-2026-32922: Privilege Escalation via device.token.rotate

This vulnerability targets the token rotation mechanism at the heart of OpenClaw's device pairing system. When a caller with operator.pairing scope invokes device.token.rotate, the function generates new tokens for paired devices. The critical flaw is that it fails to constrain the newly minted scopes to the caller's current scope set. In practice, a caller holding only operator.pairing can request a token that includes operator.admin — and OpenClaw will issue it without complaint.

The practical impact is devastating. Once an attacker obtains an operator.admin token for a paired device, they gain access to system.run — the command execution interface that lets operators trigger arbitrary processes on connected nodes. This is a direct path to remote code execution. Alternatively, the escalated token grants gateway-admin access, allowing the attacker to reconfigure message routing, modify allowlists, and effectively take control of the entire OpenClaw deployment.

How the Scope Constraint Should Work

In a properly implemented token rotation, the function must verify that every scope requested in the new token is a subset of the caller's existing scopes. This is a fundamental principle of least privilege: you cannot grant permissions you don't hold. The fix in version 2026.3.11 adds explicit scope intersection validation before issuing rotated tokens, ensuring that device.token.rotate never escalates beyond the caller's boundary.

Real-world scenario: Consider a managed IoT deployment where field technicians use operator.pairing tokens to onboard new sensors. Before the patch, a compromised technician credential — or a malicious insider — could silently mint admin tokens for every device in the fleet, then use system.run to push firmware modifications or exfiltrate data across the entire network without triggering scope-based alerts.

CVE-2026-32924: Feishu Reaction Event Misclassification

OpenClaw integrates with Feishu (Lark) to route messages and reactions from chat platforms to automated agents. When processing reaction events, the system checks the chat_type field to determine whether the event originated from a peer-to-peer (p2p) conversation or a group chat. Group chats have additional protections: groupAllowFrom restricts which groups can trigger the agent, and requireMention ensures the agent only responds when explicitly mentioned.

The vulnerability arises when a reaction event arrives with the chat_type field omitted entirely. Instead of treating this as an error or defaulting to the more restrictive classification, OpenClaw misclassifies the event as a p2p conversation. Since p2p conversations bypass groupAllowFrom and requireMention checks, the attacker effectively sidesteps all group-level protections.

Exploitation Path

An attacker operating within a Feishu workspace can craft reaction events that deliberately omit the chat_type field. These events, originating from group chats that would normally be blocked by groupAllowFrom rules, are instead processed as p2p interactions. This means the attacker can trigger agent behaviors from unauthorized groups, potentially feeding malicious input to automated workflows or extracting information the agent would only share in trusted contexts.

Common developer mistake: Treating a missing field as equivalent to a specific valid value is one of the most frequent authorization bugs in messaging integrations. The secure pattern is to fail closed — if chat_type is absent, reject the event or default to the most restrictive classification. The fix in version 2026.3.12 implements exactly this approach.

CVE-2026-32973: Exec Allowlist Pattern Bypass on POSIX

OpenClaw provides an execution allowlist that operators use to restrict which commands can be run via system.run. The pattern matching function matchesExecAllowlistPattern normalizes input patterns by lowercasing them and then applies glob-style matching. On POSIX systems, this creates two distinct bypass vectors.

First, the lowercasing normalization destroys case sensitivity that POSIX filesystems preserve. A pattern intended to allow /usr/bin/Deploy will also match /usr/bin/deploy — and vice versa. Second, the glob matching treats the ? wildcard as matching any single character, including the path separator /. This means a pattern like /usr/bin/?ool doesn't just match /usr/bin/tool — it matches /usr/bin//ool and potentially traverses path segments in ways the operator never intended.

Why Glob Matching Fails Here

Standard glob matching in most shell implementations treats ? as matching any character except the path separator. OpenClaw's custom implementation doesn't enforce this restriction. The overmatch allows attackers to construct paths that slip through allowlist patterns and execute binaries in unexpected locations. Combined with the case normalization issue, an attacker can reference executables using mixed-case paths that bypass the lowercased pattern comparison on case-sensitive filesystems.

The fix in version 2026.3.11 addresses both issues: it preserves case sensitivity during matching on POSIX systems and restricts ? from crossing path boundaries, aligning the behavior with expected glob semantics.

CVE-2026-32975: Zalouser Allowlist Matches Mutable Group Names

OpenClaw supports Zalo messaging integration with an allowlist mode that restricts which groups can communicate with the agent. The vulnerability lies in how the allowlist identifies groups: it matches against group display names rather than stable, immutable group identifiers.

Group display names in Zalo are mutable — any group member with sufficient permissions can change them at any time. An attacker can create a new group, set its display name to match an allowlisted group, and immediately gain authorization to route messages to the OpenClaw agent. The original allowlisted group and the spoofed group become indistinguishable from OpenClaw's perspective.

The Stable Identifier Principle

Authorization decisions must always be based on immutable identifiers. Group IDs, channel IDs, or cryptographic tokens provide stable references that cannot be forged through UI actions. Display names exist for human convenience and should never serve as security boundaries. This is a well-documented anti-pattern, yet it appears regularly in messaging platform integrations because display names are easily accessible in event payloads while stable IDs sometimes require additional API calls to retrieve.

The fix in version 2026.3.12 switches the allowlist matching to use Zalo's stable group identifiers, making display name spoofing ineffective.

CVE-2026-32987: Bootstrap Setup Code Replay in Device Pairing

The device pairing flow in OpenClaw uses bootstrap setup codes to verify that a new device is authorized to join the network. When a device presents a valid bootstrap code during pairing, src/infra/device-bootstrap.ts should validate the code exactly once and then invalidate it. Instead, the code allows the same bootstrap code to be verified multiple times before the pairing is approved.

This replay window creates a dangerous race condition. An attacker who intercepts or guesses a valid bootstrap code can submit multiple verification requests in rapid succession. Each successful verification can escalate the pending pairing scopes incrementally. In the worst case, the attacker escalates all the way to operator.admin, gaining full administrative control over the paired device — and by extension, over any nodes that device can reach.

Timing and Race Conditions in Pairing Protocols

Device pairing protocols must enforce single-use semantics for verification codes. The standard approach is to mark the code as consumed in an atomic operation — typically a database transaction or a compare-and-swap in a distributed cache — before proceeding with any scope assignment. OpenClaw's implementation performed the verification check and the scope assignment as separate, non-atomic steps, leaving a window where concurrent requests could all pass the verification check before any of them consumed the code.

Scalability consideration: In large deployments where hundreds of devices pair simultaneously, the pairing verification endpoint faces significant concurrent load. The fix in version 2026.3.13 uses an atomic check-and-consume pattern backed by a transactional store, which adds minimal latency per request while eliminating the replay window. Teams running distributed OpenClaw instances should verify that their backing store supports the required transaction isolation level after upgrading.

Vulnerability Comparison and Impact Summary

Two of these vulnerabilities — CVE-2026-32922 and CVE-2026-32987 — carry critical severity ratings due to their direct path to operator.admin privilege escalation and potential for remote code execution. CVE-2026-32924 and CVE-2026-32973 are rated high because they bypass explicit security controls, though exploitation requires some positioning within the target environment. CVE-2026-32975 is rated medium because it requires the attacker to participate in the Zalo messaging ecosystem and create groups that match allowlisted names.

Attack Chain Potential: Combining These Vulnerabilities

Individually, each of these vulnerabilities presents a serious risk. Combined, they enable attack chains that could compromise an entire OpenClaw deployment from a relatively low-privilege starting position.

Consider this scenario: an attacker gains initial access through CVE-2026-32975 by spoofing a Zalo group name, allowing them to feed messages to the OpenClaw agent. From there, they exploit CVE-2026-32924 to bypass mention requirements in Feishu-integrated channels, expanding their ability to trigger agent actions. If the agent has access to device pairing operations, the attacker can leverage CVE-2026-32987 to replay bootstrap codes and escalate to operator.admin. With admin tokens in hand — perhaps further amplified by CVE-2026-32922's token rotation flaw — they use CVE-2026-32973 to bypass exec allowlists and execute arbitrary commands on connected nodes.

Architecture insight: This chain illustrates why defense in depth matters at every layer. Each vulnerability alone might be mitigated by other controls, but when multiple trust boundaries fail simultaneously, the blast radius compounds exponentially. Organizations running OpenClaw should treat this patch cycle as a single coordinated upgrade rather than prioritizing individual CVEs independently.

Recommended Upgrade Strategy

Because the fixes span three separate releases (2026.3.11, 2026.3.12, and 2026.3.13), teams should upgrade directly to version 2026.3.13 or later to address all five vulnerabilities in a single operation. Here is a prioritized approach:

1. Audit active tokens immediately. Before upgrading, identify any tokens issued via device.token.rotate that carry scopes beyond what the requesting caller should have held. Revoke suspicious tokens.
2. Review bootstrap pairing logs. Check for repeated verification attempts on the same bootstrap code, which would indicate potential exploitation of CVE-2026-32987.
3. Upgrade to 2026.3.13. Deploy the latest patched version across all OpenClaw instances. In distributed deployments, upgrade gateway nodes first as they handle token rotation and bootstrap verification.
4. Validate Zalo and Feishu configurations. After upgrading, confirm that your Zalo allowlists now reference stable group IDs (not display names) and that Feishu event processing correctly rejects events with missing chat_type.
5. Re-audit exec allowlists. Test your allowlist patterns against the updated matching logic to ensure they still permit intended commands while correctly blocking path traversal attempts.

Frequently Asked Questions

Are these vulnerabilities being actively exploited in the wild?

As of the disclosure date, OpenClaw maintainers have not confirmed active exploitation. However, the detailed nature of the advisories and the low complexity required for exploitation — particularly CVE-2026-32975 and CVE-2026-32924 — means that proof-of-concept exploits are likely to appear quickly. Treating these patches as urgent is strongly recommended.

Can I patch only the critical CVEs and defer the rest?

While CVE-2026-32922 and CVE-2026-32987 carry the highest individual severity ratings, the potential for chaining these vulnerabilities means that leaving any one unpatched weakens the overall security posture. Upgrading to 2026.3.13 addresses all five issues simultaneously and is the recommended approach.

Do these vulnerabilities affect OpenClaw deployments that don't use Feishu or Zalo?

CVE-2026-32924 and CVE-2026-32975 are specific to Feishu and Zalo integrations respectively. However, CVE-2026-32922, CVE-2026-32973, and CVE-2026-32987 affect core device pairing and command execution functionality that is present in all OpenClaw deployments. Every installation should upgrade regardless of which messaging integrations are enabled.

What should I monitor after applying the patches?

Focus on three areas: token issuance logs for anomalous scope grants, bootstrap verification attempts showing replay patterns, and exec allowlist match failures that might indicate previously exploited bypass paths. Increased match failures after patching could reveal past exploitation attempts that were previously succeeding silently.

Key Takeaways for Security Teams

These five vulnerabilities in OpenClaw reinforce several foundational security principles that development and operations teams should embed in their workflows. Scope constraints must be validated at every token issuance point, not just at initial authentication. Missing fields in external event payloads should default to the most restrictive interpretation. Pattern matching used for security decisions must account for platform-specific filesystem behavior. Authorization checks must rely on immutable identifiers, never on user-editable display attributes. And single-use verification tokens must be consumed atomically to prevent race conditions.

If your organization runs OpenClaw in any capacity, the path forward is straightforward: upgrade to version 2026.3.13 immediately, audit your deployment for signs of prior exploitation, and use this incident as a catalyst to review your broader token management and authorization architecture. The patches are available now — the window between disclosure and exploitation shrinks with every passing hour.

References

• CVE-2026-32922 — NVD National Vulnerability Database: nvd.nist.gov/vuln/detail/CVE-2026-32922
• CVE-2026-32924 — NVD National Vulnerability Database: nvd.nist.gov/vuln/detail/CVE-2026-32924
• CVE-2026-32973 — NVD National Vulnerability Database: nvd.nist.gov/vuln/detail/CVE-2026-32973
• CVE-2026-32975 — NVD National Vulnerability Database: nvd.nist.gov/vuln/detail/CVE-2026-32975
• CVE-2026-32987 — NVD National Vulnerability Database: nvd.nist.gov/vuln/detail/CVE-2026-32987
• CVE Record — MITRE CVE Program: cve.org