CVE-2026-32042

HighPublic PoC

Published: 21 March 2026

Published

21 March 2026

Modified

23 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present a self-signed unpaired device identity…

to request and obtain higher operator scopes before pairing approval is granted.

Mitigating Controls (NIST 800-53 r5)AI

IA-3 Device Identification and Authentication good match

prevent

Requires identification and authentication of devices before establishing connections, preventing unpaired self-signed device identities from bypassing pairing and obtaining elevated scopes.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to resources, directly addressing the incorrect authorization that allows privilege escalation via unpaired device identities.

AC-6 Least Privilege partial match

prevent

Limits privileges to the least necessary, mitigating the impact of self-assignment of elevated operator scopes including admin.

Security SummaryAI

CVE-2026-32042 is a privilege escalation vulnerability (CWE-863: Incorrect Authorization) in OpenClaw versions 2026.2.22 prior to 2026.2.25. The issue allows unpaired device identities to bypass operator pairing requirements, enabling self-assignment of elevated operator scopes, including operator.admin.

Attackers with valid shared gateway authentication can exploit this vulnerability remotely over the network with low complexity, low privileges, and no user interaction. By presenting a self-signed unpaired device identity, they can request and obtain higher operator scopes before pairing approval is granted, resulting in high impacts to confidentiality, integrity, and availability, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Advisories recommend upgrading to OpenClaw version 2026.2.25 or later to mitigate the vulnerability. A fixing commit is available at https://github.com/openclaw/openclaw/commit/8d1481cb4a9d31bd617e52dc8c392c35689d9dea, with further details in the GitHub Security Advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-553v-f69r-656j and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-unpaired-device-identity-in-shared-gateway-authentication.

Details

CWE(s): CWE-863

Affected Products

openclaw

2026.2.22 — 2026.2.25

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Privilege escalation vulnerability (CWE-863) allows low-privileged remote attackers to bypass authorization and self-assign elevated operator.admin scopes, directly enabling Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/openclaw/openclaw/commit/8d1481cb4a9d31bd617e52dc8c392c35689d9dea
Patch · disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-553v-f69r-656j
Vendor Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-unpaired-device-identity-in-shared-gateway-authentication
Third Party Advisory · disclosure@vulncheck.com