CVE-2026-41386
Privilege Escalation in OpenClaw Device Pairing Setup
Publication date: 2026-04-28
Last updated on: 2026-05-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-648 | The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly address how CVE-2026-41386 affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-41386 is a privilege escalation vulnerability in OpenClaw versions before 2026.3.22. It occurs because bootstrap setup codes used during the first-use device pairing process are not properly bound to their intended device roles and scopes. This means that attackers can exploit this flaw to gain higher privileges than they should have by manipulating the pairing process.
The vulnerability arises from the failure to enforce strict role and scope binding on bootstrap tokens, allowing attackers to redeem tokens for broader permissions than originally issued. The fix involves binding bootstrap tokens explicitly to specific roles and scopes and rejecting any attempts to use tokens requesting broader privileges.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to escalate their privileges during the device pairing process, gaining unauthorized access or control beyond what was intended. Because the attack vector is network-based with low complexity and requires no prior privileges or user interaction, it poses a significant risk.
The impact includes potential compromise of confidentiality and integrity of the system, as attackers can operate with elevated permissions. This could lead to unauthorized actions, data exposure, or manipulation within the affected OpenClaw environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying whether the OpenClaw installation is using a version prior to 2026.3.22, as these versions contain unbound bootstrap setup codes that allow privilege escalation.
Since the vulnerability is related to bootstrap tokens not being properly bound to device roles and scopes during pairing, detection can include checking logs or audit trails for bootstrap token redemption attempts that request broader roles or scopes than originally issued.
No specific commands are provided in the available resources to detect exploitation attempts or vulnerable tokens on the network or system.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenClaw to version 2026.3.22 or later, where the vulnerability has been fixed by strictly binding bootstrap setup codes to specific device roles and scopes.
This fix ensures that bootstrap tokens cannot be redeemed for broader permissions than originally issued, preventing privilege escalation during device pairing.
Additionally, reviewing and restricting device pairing processes and monitoring for any unusual bootstrap token usage can help reduce risk until the upgrade is applied.