CVE-2026-32922
published 2026-03-29CVE-2026-32922: OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that allows callers with operator.pairing scope to mint tokens…
PriorityP266critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.54%
41.3th percentile
OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that allows callers with operator.pairing scope to mint tokens with broader scopes by failing to constrain newly minted scopes to the caller's current scope set. Attackers can obtain operator.admin tokens for paired devices and achieve remote code execution on connected nodes via system.run or gain unauthorized gateway-admin access.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openclaw | openclaw | < 2026.3.11 | 2026.3.11 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor calls to device.token.rotate from tokens bearing only operator.pairing scope; any resulting token with scopes beyond operator.pairing is indicative of exploitation. ↗
- →Alert on operator.admin token issuance for paired devices when the originating request carried only operator.pairing scope, as this indicates successful privilege escalation. ↗
- →Detect invocations of system.run on connected nodes following a device.token.rotate call, which may indicate post-exploitation remote code execution. ↗
- →Flag any gateway-admin access grants that were preceded by a device.token.rotate call from an operator.pairing-scoped token. ↗
- ·Vulnerability only affects OpenClaw versions before 2026.3.11; ensure patched version is deployed to eliminate the attack surface. ↗
- ·The flaw is in scope enforcement at token rotation time — any operator.pairing-scoped caller can request arbitrarily broad scopes; access control must validate that newly minted scopes are a strict subset of the caller's current scope set. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
blogs_hackernews·2026-04-13·CVSS 8.6
[HIGH] ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
Monday is back, and the weekend’s backlog of chaos is officially hitting the fan. We are tracking a critical zero-day that has been quietly living in your PDFs for months, plus some aggressive state-sponsored meddling in infrastructure that is finally coming to light. It is one of those mornings where the gap between a quiet shift and a full-blown incident response is basically non-existent.
The variety this week is particularly nasty. We have AI models being turned into autonomous exploit engines, North Korean groups playing the long game
Wiz
CVE-2026-32922 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-32922 [CRITICAL] CVE-2026-32922 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32922 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that allows callers with operator.pairing scope to mint tokens with broader scopes by failing to constrain newly minted scopes to the caller's current scope set. Attackers can obtain operator.admin tokens for paired devices and achieve remote code execution on connected nodes via system.run or gain unauthorized gateway-admin access.
Source : NVD
## 9.4
Score
Published March 29, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Pro
2026-03-29
Published