PT-2026-26725 · Openclaw · Openclaw
Tdjackey
·
Published
2026-03-03
·
Updated
2026-03-22
·
CVE-2026-32042
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions 2026.2.22 through 2026.2.24
Description
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation issue. Unpaired device identities can bypass operator pairing requirements and self-assign elevated operator scopes, including
operator.admin. Attackers with valid shared gateway authentication can present a self-signed unpaired device identity to request and obtain higher operator scopes before pairing approval is granted.Recommendations
Update OpenClaw to version 2026.2.25 or later.
Fix
LPE
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw