GHSA-8J2W-6FMM-M587

Vulnerability from github – Published: 2026-03-12 14:22 – Updated: 2026-03-25 18:47
VLAI?
Summary
OpenClaw: /api/channels gateway-auth boundary bypass via path canonicalization mismatch
Details

Summary

Gateway auth for plugin channel endpoints can be bypassed when path canonicalization differs between the gateway guard and plugin handler routing.

Details

On affected versions, server-http only applies gateway auth when raw requestPath matches exactly: - /api/channels - /api/channels/*

If a plugin handler canonicalizes path input (for example decodeURIComponent(pathname).toLowerCase()), requests like: - /API/channels/nostr/default/profile - /api/channels%2Fnostr%2Fdefault%2Fprofile can be interpreted as /api/channels/* by the plugin, while the gateway auth guard is skipped.

Impact

Authentication boundary bypass for plugin channel HTTP routes under canonicalization mismatch conditions. Unauthorized callers may access plugin channel APIs that are expected to require gateway auth.

CWE: CWE-288 (Authentication Bypass Using an Alternate Path or Channel) CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (Base 5.3, Moderate)

Severity ?
4.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
6.3 (Medium)
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.25"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T14:22:04Z",
    "nvd_published_at": "2026-03-19T22:16:38Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nGateway auth for plugin channel endpoints can be bypassed when path canonicalization differs between the gateway guard and plugin handler routing.\n\n### Details\nOn affected versions, `server-http` only applies gateway auth when raw `requestPath` matches exactly:\n- `/api/channels`\n- `/api/channels/*`\n\nIf a plugin handler canonicalizes path input (for example `decodeURIComponent(pathname).toLowerCase()`), requests like:\n- `/API/channels/nostr/default/profile`\n- `/api/channels%2Fnostr%2Fdefault%2Fprofile`\ncan be interpreted as `/api/channels/*` by the plugin, while the gateway auth guard is skipped.\n\n### Impact\nAuthentication boundary bypass for plugin channel HTTP routes under canonicalization mismatch conditions. Unauthorized callers may access plugin channel APIs that are expected to require gateway auth.\n\nCWE: CWE-288 (Authentication Bypass Using an Alternate Path or Channel)\nCVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N` (Base 5.3, Moderate)",
  "id": "GHSA-8j2w-6fmm-m587",
  "modified": "2026-03-25T18:47:40Z",
  "published": "2026-03-12T14:22:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8j2w-6fmm-m587"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32031"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-path-canonicalization-mismatch-in-api-channels-gateway"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: /api/channels gateway-auth boundary bypass via path canonicalization mismatch"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.