CVE-2026-32014

HIGH8.0EPSS 0.03%

OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy

發布日:2026/3/3修改日:2026/3/20

描述

## Summary A paired node device could reconnect with spoofed `platform`/`deviceFamily` metadata and broaden node command policy eligibility because reconnect metadata was accepted from the client while these fields were not bound into the device-auth signature. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.2.25` - Latest published version at update time: `2026.2.25` - Patched version (pre-set for next release): `2026.2.26` ## Impact In configurations where node command policy differs by platform, an attacker with an already paired node identity on the trusted network could spoof reconnect metadata and gain access to commands that should remain blocked for the originally paired platform. ## Fix - Add device-auth payload `v3` that signs normalized `platform` and `deviceFamily`. - Verify `v3` first (fallback to `v2` for compatibility), while pinning paired metadata server-side. - Reject reconnect metadata mismatches and require explicit repair pairing to change pinned metadata. - Add regression coverage for reconnect spoof attempts. ## Fix Commit(s) - `7d8aeaaf06e2e616545d2c2cec7fa27f36b59b6a` ## Release Process Note `patched_versions` is pre-set to the planned next release `2026.2.26`; once that npm release is published, the advisory can be published without further field edits. OpenClaw thanks @76embiid21 for reporting.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osvCVSS 3.1HIGH8.0CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(5)