CVE-2026-41386
Received Received - Intake
Privilege Escalation in OpenClaw Device Pairing Setup

Publication date: 2026-04-28

Last updated on: 2026-05-01

Assigner: VulnCheck

Description
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during first-use device pairing to escalate privileges beyond their intended role and scope.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41386
EUVD
EUVD-2026-26095
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-648 The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not explicitly address how CVE-2026-41386 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-41386 is a privilege escalation vulnerability in OpenClaw versions before 2026.3.22. It occurs because bootstrap setup codes used during the first-use device pairing process are not properly bound to their intended device roles and scopes. This means that attackers can exploit this flaw to gain higher privileges than they should have by manipulating the pairing process.

The vulnerability arises from the failure to enforce strict role and scope binding on bootstrap tokens, allowing attackers to redeem tokens for broader permissions than originally issued. The fix involves binding bootstrap tokens explicitly to specific roles and scopes and rejecting any attempts to use tokens requesting broader privileges.

Impact Analysis

This vulnerability can allow an attacker to escalate their privileges during the device pairing process, gaining unauthorized access or control beyond what was intended. Because the attack vector is network-based with low complexity and requires no prior privileges or user interaction, it poses a significant risk.

The impact includes potential compromise of confidentiality and integrity of the system, as attackers can operate with elevated permissions. This could lead to unauthorized actions, data exposure, or manipulation within the affected OpenClaw environment.

Detection Guidance

Detection of this vulnerability involves verifying whether the OpenClaw installation is using a version prior to 2026.3.22, as these versions contain unbound bootstrap setup codes that allow privilege escalation.

Since the vulnerability is related to bootstrap tokens not being properly bound to device roles and scopes during pairing, detection can include checking logs or audit trails for bootstrap token redemption attempts that request broader roles or scopes than originally issued.

No specific commands are provided in the available resources to detect exploitation attempts or vulnerable tokens on the network or system.

Mitigation Strategies

The immediate mitigation step is to upgrade OpenClaw to version 2026.3.22 or later, where the vulnerability has been fixed by strictly binding bootstrap setup codes to specific device roles and scopes.

This fix ensures that bootstrap tokens cannot be redeemed for broader permissions than originally issued, preventing privilege escalation during device pairing.

Additionally, reviewing and restricting device pairing processes and monitoring for any unusual bootstrap token usage can help reduce risk until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41386. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart