CVE-2026-32014
OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy
Description
## Summary A paired node device could reconnect with spoofed `platform`/`deviceFamily` metadata and broaden node command policy eligibility because reconnect metadata was accepted from the client while these fields were not bound into the device-auth signature. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.2.25` - Latest published version at update time: `2026.2.25` - Patched version (pre-set for next release): `2026.2.26` ## Impact In configurations where node command policy differs by platform, an attacker with an already paired node identity on the trusted network could spoof reconnect metadata and gain access to commands that should remain blocked for the originally paired platform. ## Fix - Add device-auth payload `v3` that signs normalized `platform` and `deviceFamily`. - Verify `v3` first (fallback to `v2` for compatibility), while pinning paired metadata server-side. - Reject reconnect metadata mismatches and require explicit repair pairing to change pinned metadata. - Add regression coverage for reconnect spoof attempts. ## Fix Commit(s) - `7d8aeaaf06e2e616545d2c2cec7fa27f36b59b6a` ## Release Process Note `patched_versions` is pre-set to the planned next release `2026.2.26`; once that npm release is published, the advisory can be published without further field edits. OpenClaw thanks @76embiid21 for reporting.
How to fix CVE-2026-32014
To remediate CVE-2026-32014, upgrade the affected package to a fixed version below.
- —upgrade to 2026.2.26 or later
Is CVE-2026-32014 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2026.2.26