cbcvebase.
CVE-2026-32042
published 2026-03-21

CVE-2026-32042: OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.44%
35.1th percentile
OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present a self-signed unpaired device identity to request and obtain higher operator scopes before pairing approval is granted.

Affected

2 ranges
VendorProductVersion rangeFixed in
openclawopenclaw>= 2026.2.22 < 2026.2.252026.2.25
openclawopenclaw>= 2026.2.22 < 2026.2.252026.2.25

Detection & IOCsextracted from sources · hover to see the quote

  • Detect unpaired device identities attempting to self-assign elevated operator scopes (e.g., operator.admin) before pairing approval is granted
  • Monitor for self-signed unpaired device identity certificates being presented during operator scope requests — a self-signed cert from an unpaired device requesting elevated scopes is a strong indicator of exploitation
  • Flag requests using valid shared gateway authentication credentials that are associated with unpaired device identities, particularly those requesting operator-level scopes
  • ·Vulnerability affects OpenClaw versions 2026.2.22 up to (not including) 2026.2.25; fixed version is 2026.2.25 or later. Patches were added to Homebrew and MinimOS on March 24, 2026.
  • ·OpenClaw was formerly known as Moltbot or Clawdbot — ensure detection and inventory coverage accounts for all historical package names.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.