CVE-2026-32042
published 2026-03-21CVE-2026-32042: OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.44%
35.1th percentile
OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present a self-signed unpaired device identity to request and obtain higher operator scopes before pairing approval is granted.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openclaw | openclaw | >= 2026.2.22 < 2026.2.25 | 2026.2.25 |
| openclaw | openclaw | >= 2026.2.22 < 2026.2.25 | 2026.2.25 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unpaired device identities attempting to self-assign elevated operator scopes (e.g., operator.admin) before pairing approval is granted ↗
- →Monitor for self-signed unpaired device identity certificates being presented during operator scope requests — a self-signed cert from an unpaired device requesting elevated scopes is a strong indicator of exploitation ↗
- →Flag requests using valid shared gateway authentication credentials that are associated with unpaired device identities, particularly those requesting operator-level scopes ↗
- ·Vulnerability affects OpenClaw versions 2026.2.22 up to (not including) 2026.2.25; fixed version is 2026.2.25 or later. Patches were added to Homebrew and MinimOS on March 24, 2026. ↗
- ·OpenClaw was formerly known as Moltbot or Clawdbot — ensure detection and inventory coverage accounts for all historical package names. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r3gm-fv85-xjqj: OpenClaw versions 2026
ghsa_unreviewed·2026-03-21
CVE-2026-32042 [HIGH] CWE-863 GHSA-r3gm-fv85-xjqj: OpenClaw versions 2026
OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present a self-signed unpaired device identity to request and obtain higher operator scopes before pairing approval is granted.
OSV
OpenClaw unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth
osv·2026-03-03
CVE-2026-32042 [MEDIUM] OpenClaw unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth
OpenClaw unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth
### Summary
A client using shared gateway auth could attach an unpaired device identity and request elevated operator scopes (including `operator.admin`) before pairing approval, enabling privilege escalation.
### Impact
Attackers with valid shared gateway auth could self-assign higher operator scopes by presenting a self-signed, unpaired device identity.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `>= 2026.2.22 = 2026.2.25`). Advisory published with npm release `2026.2.25`.
OpenClaw thanks @tdjackey for reporting.
No detection rules found.
No public exploits indexed.
2026-03-21
Published