cbcvebase.
CVE-2026-32922
published 2026-03-29

CVE-2026-32922: OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that allows callers with operator.pairing scope to mint tokens…

PriorityP266critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.54%
41.3th percentile
OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that allows callers with operator.pairing scope to mint tokens with broader scopes by failing to constrain newly minted scopes to the caller's current scope set. Attackers can obtain operator.admin tokens for paired devices and achieve remote code execution on connected nodes via system.run or gain unauthorized gateway-admin access.

Affected

1 ranges
VendorProductVersion rangeFixed in
openclawopenclaw< 2026.3.112026.3.11

Detection & IOCsextracted from sources · hover to see the quote

otherdevice.token.rotate
commandsystem.run
  • Monitor calls to device.token.rotate from tokens bearing only operator.pairing scope; any resulting token with scopes beyond operator.pairing is indicative of exploitation.
  • Alert on operator.admin token issuance for paired devices when the originating request carried only operator.pairing scope, as this indicates successful privilege escalation.
  • Detect invocations of system.run on connected nodes following a device.token.rotate call, which may indicate post-exploitation remote code execution.
  • Flag any gateway-admin access grants that were preceded by a device.token.rotate call from an operator.pairing-scoped token.
  • ·Vulnerability only affects OpenClaw versions before 2026.3.11; ensure patched version is deployed to eliminate the attack surface.
  • ·The flaw is in scope enforcement at token rotation time — any operator.pairing-scoped caller can request arbitrarily broad scopes; access control must validate that newly minted scopes are a strict subset of the caller's current scope set.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.