CVE-2026-32031: OpenClaw: /api/channels gateway-auth boundary bypass via path canonicalization mismatch

March 12, 2026 (updated March 19, 2026)

Gateway auth for plugin channel endpoints can be bypassed when path canonicalization differs between the gateway guard and plugin handler routing.

References

github.com/advisories/GHSA-8j2w-6fmm-m587
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-8j2w-6fmm-m587
nvd.nist.gov/vuln/detail/CVE-2026-32031

Code Behaviors & Features

Detect and mitigate CVE-2026-32031 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →