cbcvebase.
CVE-2026-32045
published 2026-03-21

CVE-2026-32045: OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password…

PriorityP265critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.40%
31.9th percentile
OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password requirements. Attackers on trusted networks can exploit this misconfiguration to access HTTP gateway routes without proper authentication credentials.

Affected

2 ranges
VendorProductVersion rangeFixed in
openclawopenclaw< 2026.2.212026.2.21
openclawopenclaw>= 0 < 2026.2.212026.2.21

Detection & IOCsextracted from sources · hover to see the quote

  • Detect unauthenticated access to HTTP gateway routes in OpenClaw by monitoring for requests that lack token or password credentials but succeed via Tailscale header authentication on trusted networks
  • Flag OpenClaw (formerly Moltbot or Clawdbot) instances running versions prior to 2026.2.21 as vulnerable to authentication bypass on HTTP gateway routes
  • Monitor for HTTP gateway route access originating from trusted/internal network segments without accompanying authentication tokens or passwords, which may indicate exploitation of this misconfiguration
  • ·The vulnerability is a misconfiguration in how tokenless Tailscale header authentication is applied — it is incorrectly scoped to HTTP gateway routes, meaning the auth bypass only affects those routes, not all endpoints
  • ·Exploitation is limited to attackers already present on trusted networks (e.g., Tailscale network peers), reducing but not eliminating risk for internet-exposed deployments

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.