CVE-2026-32042
Privilege Escalation in OpenClaw via Unpaired Device Identity Bypass
Publication date: 2026-03-21
Last updated on: 2026-03-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | From 2026.2.22 (inc) to 2026.2.25 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32042 is a privilege escalation vulnerability in OpenClaw versions prior to 2026.2.25. It allows attackers who have valid shared gateway authentication to bypass the normal operator pairing requirements by presenting a self-signed, unpaired device identity. This enables them to self-assign elevated operator privileges, including the operator.admin scope, without waiting for pairing approval.
The root cause is an incorrect authorization check where the system fails to enforce mandatory pairing for operator device-identity sessions authenticated via shared tokens. This flaw lets unpaired devices gain higher operator scopes improperly.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized privilege escalation, allowing attackers to gain elevated operator access on the OpenClaw gateway. Specifically, attackers can bypass pairing controls and assign themselves high-level operator scopes such as operator.admin.
Such unauthorized access can compromise the confidentiality, integrity, and availability of the system, potentially allowing attackers to perform administrative actions, manipulate data, or disrupt services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unpaired device identities bypassing operator pairing requirements by using shared gateway authentication to self-assign elevated operator scopes. Detection would involve monitoring for connection attempts from unpaired devices presenting self-signed device identities requesting operator scopes such as operator.admin.
Since the vulnerability is related to authentication and pairing logic in OpenClaw versions prior to 2026.2.25, detection can focus on identifying unpaired device identity connection attempts that request elevated operator scopes without proper pairing.
Specific commands are not provided in the available resources. However, network or system administrators could monitor OpenClaw gateway logs for pairing requests and connection attempts that are rejected due to missing pairing or that show unpaired devices requesting operator scopes.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.2.25 or later, where the vulnerability has been fixed by enforcing mandatory device pairing for operator device-identity sessions authenticated via shared token authentication.
This fix removes the previous logic that allowed unpaired operator devices to bypass pairing when using shared token authentication, ensuring that all operator devices must be paired before gaining operator scopes.
Until the upgrade can be applied, administrators should monitor for unpaired device connection attempts requesting elevated operator scopes and consider restricting shared gateway authentication tokens to trusted devices only.