CVE-2026-32922
Received Received - Intake
Privilege Escalation in OpenClaw device.token.rotate Enables RCE

Publication date: 2026-03-29

Last updated on: 2026-03-31

Assigner: VulnCheck

Description
OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that allows callers with operator.pairing scope to mint tokens with broader scopes by failing to constrain newly minted scopes to the caller's current scope set. Attackers can obtain operator.admin tokens for paired devices and achieve remote code execution on connected nodes via system.run or gain unauthorized gateway-admin access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-29
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32922
EUVD
EUVD-2026-17003
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how CVE-2026-32922 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-32922 is a critical privilege escalation vulnerability in OpenClaw versions before 2026.3.11. It occurs in the device.token.rotate function, which allows a caller with the operator.pairing scope to mint new device tokens with broader privileges than they are authorized for. This happens because the function validates requested scopes against the target device’s approved scopes but does not restrict them to the caller’s current scopes. As a result, an attacker can escalate their privileges by creating operator.admin tokens for paired devices without initially having administrative rights.

This escalation can lead to unauthorized administrative access and, in environments with connected nodes or companion apps exposing system.run, allows remote code execution on those nodes. Even without connected nodes, the attacker can gain unauthorized gateway-admin access.

Impact Analysis

This vulnerability can have severe impacts including unauthorized privilege escalation to administrative levels on paired devices. Attackers can gain operator.admin tokens, allowing them to perform administrative actions without permission.

In deployments where connected nodes or companion applications expose system.run, attackers can execute remote code on those nodes, potentially compromising the entire system. Even in the absence of connected nodes, attackers can obtain unauthorized gateway-admin access, leading to full control over the gateway device.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenClaw to version 2026.3.11 or later, where the device.token.rotate function has been fixed to restrict newly minted token scopes to be a subset of the caller's existing scopes, preventing privilege escalation.

This update addresses the critical privilege escalation flaw that allowed attackers with operator.pairing scope to mint tokens with broader privileges, including operator.admin tokens, which could lead to unauthorized administrative access and remote code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32922. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart