What is CVE-2026-32988?

A TOCTOU (time-of-check-time-of-use) race condition in OpenClaw's fs-bridge staged writes allows writing outside the sandbox. CVSS 7.5. Fixed in v2026.3.11.

What is CVE-2026-33577?

A critical (CVSS 9.8) privilege escalation where node.pair.approve lacks callerScopes validation, allowing low-privilege operators to escalate to broader scopes. Fixed v2026.3.28.

What is CVE-2026-28476?

An SSRF vulnerability from an incomplete fix. Channel extensions use raw fetch() against user-configurable base URLs, enabling attacker-controlled requests to internal endpoints. Fixed v2026.3.28.

Are these CVEs actively exploited?

No confirmed active exploitation reported yet, but the CVSS 9.8 critical makes CVE-2026-33577 a high-priority patch target.

How do I protect against these CVEs?

Update to OpenClaw v2026.3.28 or later, which patches all three vulnerabilities.

← Back to dashboard

clawsmith.com/signal/openclaw-cves-32988-33577-28476-march-2026

⚠ IssueUnknownSecurity AdvisoryLive

Three new OpenClaw CVEs: sandbox bypass (7.5), privilege escalation (9.8 critical), SSRF

CVE-2026-32988: TOCTOU sandbox escape (CVSS 7.5). CVE-2026-33577: critical node-pairing privilege escalation (CVSS 9.8). CVE-2026-28476: incomplete SSRF fix across channel extensions. All disclosed March 31, fixed in v2026.3.28.

Product Idea from this Signal

A security service that auto-patches OpenClaw CVEs within hours of disclosure before attackers exploit them

3.7k ▲

OpenClaw shipped 9 CVEs in 4 days (March 2026) including a CVSS 9.9 privilege escalation affecting 135K+ exposed instances. Most operators have no way to know which CVEs affect their version, no automated patching, and no coordination between the flood of advisories (156+ total) and their actual attack surface. This tool continuously monitors CVE feeds, maps each advisory to your installed version and enabled features, and applies safe mitigations automatically while queuing risky patches for human approval.

SECURITYCLIDEVTOOLOPEN-SOURCESYSADMIN

CompetitiveView Opportunity →