CVE-2026-32916
OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes
Description
## Summary In affected versions of `openclaw`, the plugin subagent runtime dispatched gateway methods through a synthetic operator client that always carried broad administrative scopes. Plugin-owned HTTP routes using `auth: "plugin"` could therefore trigger admin-only gateway actions without normal gateway authorization. ## Impact This is a critical authorization bypass. An external unauthenticated request to a plugin-owned route could reach privileged subagent runtime methods and perform admin-only gateway actions such as deleting sessions, reading session data, or triggering agent execution. ## Affected Packages and Versions - Package: `openclaw` (npm) - Affected versions: `>= 2026.3.7, < 2026.3.11` - Fixed in: `2026.3.11` ## Technical Details The new plugin subagent runtime preserved neither the original caller's auth context nor least-privilege scope. Instead, it executed gateway dispatches through a fabricated operator client with administrative scopes, which was reachable from plugin-owned routes that intentionally bypass normal gateway auth so plugins can perform their own webhook verification. ## Fix OpenClaw now preserves real authorization boundaries for plugin subagent calls instead of dispatching them through synthetic admin scopes. The fix shipped in `[email protected]`. ## Workarounds Upgrade to `2026.3.11` or later.
How to fix CVE-2026-32916
To remediate CVE-2026-32916, upgrade the affected package to a fixed version below.
- —upgrade to 2026.3.11 or later
Is CVE-2026-32916 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2026.3.7, < 2026.3.11