CVE-2026-32039: OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass
(updated )
channels.*.groups.*.toolsBySender could match a privileged sender policy using a colliding mutable identity value (for example senderName or senderUsername) when deployments used untyped keys.
The fix introduces explicit typed sender keys (id:, e164:, username:, name:), keeps legacy untyped keys on a deprecated ID-only path, and adds regression coverage to prevent cross-identifier collisions.
References
- github.com/advisories/GHSA-wpph-cjgr-7c39
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/5547a2275cb69413af3b62c795b93214fe913b57
- github.com/openclaw/openclaw/security/advisories/GHSA-wpph-cjgr-7c39
- nvd.nist.gov/vuln/detail/CVE-2026-32039
- www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-via-identity-collision-in-toolsbysender
Code Behaviors & Features
Detect and mitigate CVE-2026-32039 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →