Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
OpenClaw Devices Can Access More Features Without Approval
CVE-2026-32042
Summary
OpenClaw devices running versions 2026.2.22 to 2026.2.24 are vulnerable to a security issue that allows unpaired devices to access more features than they should. This can happen if an attacker uses a valid login and presents a fake device identity, gaining elevated access before approval. Update to version 2026.2.25 or later to fix the issue.
Original title
OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated oper...
Original description
OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present a self-signed unpaired device identity to request and obtain higher operator scopes before pairing approval is granted.
nvd CVSS3.1
8.8
nvd CVSS4.0
8.7
Vulnerability type
CWE-863
Incorrect Authorization
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026