CVE-2026-32922
Privilege Escalation in OpenClaw device.token.rotate Enables RCE
Publication date: 2026-03-29
Last updated on: 2026-03-31
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32922 is a critical privilege escalation vulnerability in OpenClaw versions before 2026.3.11. It occurs in the device.token.rotate function, which allows a caller with the operator.pairing scope to mint new device tokens with broader privileges than they are authorized for. This happens because the function validates requested scopes against the target deviceβs approved scopes but does not restrict them to the callerβs current scopes. As a result, an attacker can escalate their privileges by creating operator.admin tokens for paired devices without initially having administrative rights.
This escalation can lead to unauthorized administrative access and, in environments with connected nodes or companion apps exposing system.run, allows remote code execution on those nodes. Even without connected nodes, the attacker can gain unauthorized gateway-admin access.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized privilege escalation to administrative levels on paired devices. Attackers can gain operator.admin tokens, allowing them to perform administrative actions without permission.
In deployments where connected nodes or companion applications expose system.run, attackers can execute remote code on those nodes, potentially compromising the entire system. Even in the absence of connected nodes, attackers can obtain unauthorized gateway-admin access, leading to full control over the gateway device.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenClaw to version 2026.3.11 or later, where the device.token.rotate function has been fixed to restrict newly minted token scopes to be a subset of the caller's existing scopes, preventing privilege escalation.
This update addresses the critical privilege escalation flaw that allowed attackers with operator.pairing scope to mint tokens with broader privileges, including operator.admin tokens, which could lead to unauthorized administrative access and remote code execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2026-32922 affects compliance with common standards and regulations such as GDPR or HIPAA.