Vulnerability Description
OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present a self-signed unpaired device identity to request and obtain higher operator scopes before pairing approval is granted.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | >= 2026.2.22, < 2026.2.25 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/8d1481cb4a9d31bd617e52dc8c392c35689dPatch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-553v-f69r-656jVendor Advisory
- https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-unpaired-Third Party Advisory
FAQ
What is CVE-2026-32042?
CVE-2026-32042 is a vulnerability with a CVSS score of 8.8 (HIGH). OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operato...
How severe is CVE-2026-32042?
CVE-2026-32042 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32042?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.