Duty Analyst: Joseph McCarthy
← Back to CVE list

CVE-2026-32042

Published: 2026-03-21 01:17:07 | Last modified: 2026-03-23 17:10:22

HIGH CVSS 8.7
No EPSS data

Description

OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present a self-signed unpaired device identity to request and obtain higher operator scopes before pairing approval is granted.

CVSS details

Severity
high
Score
8.7
Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS

This CVE is not currently listed in the EPSS dataset.

Show JSON 
{
    "cve": {
        "id": "CVE-2026-32042",
        "cveTags": [],
        "metrics": {
            "cvssMetricV31": [
                {
                    "type": "Primary",
                    "source": "disclosure@vulncheck.com",
                    "cvssData": {
                        "scope": "UNCHANGED",
                        "version": "3.1",
                        "baseScore": 8.8,
                        "attackVector": "NETWORK",
                        "baseSeverity": "HIGH",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                        "integrityImpact": "HIGH",
                        "userInteraction": "NONE",
                        "attackComplexity": "LOW",
                        "availabilityImpact": "HIGH",
                        "privilegesRequired": "LOW",
                        "confidentialityImpact": "HIGH"
                    },
                    "impactScore": 5.9,
                    "exploitabilityScore": 2.8
                }
            ],
            "cvssMetricV40": [
                {
                    "type": "Secondary",
                    "source": "disclosure@vulncheck.com",
                    "cvssData": {
                        "Safety": "NOT_DEFINED",
                        "version": "4.0",
                        "Recovery": "NOT_DEFINED",
                        "baseScore": 8.7,
                        "Automatable": "NOT_DEFINED",
                        "attackVector": "NETWORK",
                        "baseSeverity": "HIGH",
                        "valueDensity": "NOT_DEFINED",
                        "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
                        "exploitMaturity": "NOT_DEFINED",
                        "providerUrgency": "NOT_DEFINED",
                        "userInteraction": "NONE",
                        "attackComplexity": "LOW",
                        "attackRequirements": "NONE",
                        "privilegesRequired": "LOW",
                        "subIntegrityImpact": "NONE",
                        "vulnIntegrityImpact": "HIGH",
                        "integrityRequirement": "NOT_DEFINED",
                        "modifiedAttackVector": "NOT_DEFINED",
                        "subAvailabilityImpact": "NONE",
                        "vulnAvailabilityImpact": "HIGH",
                        "availabilityRequirement": "NOT_DEFINED",
                        "modifiedUserInteraction": "NOT_DEFINED",
                        "modifiedAttackComplexity": "NOT_DEFINED",
                        "subConfidentialityImpact": "NONE",
                        "vulnConfidentialityImpact": "HIGH",
                        "confidentialityRequirement": "NOT_DEFINED",
                        "modifiedAttackRequirements": "NOT_DEFINED",
                        "modifiedPrivilegesRequired": "NOT_DEFINED",
                        "modifiedSubIntegrityImpact": "NOT_DEFINED",
                        "modifiedVulnIntegrityImpact": "NOT_DEFINED",
                        "vulnerabilityResponseEffort": "NOT_DEFINED",
                        "modifiedSubAvailabilityImpact": "NOT_DEFINED",
                        "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
                        "modifiedSubConfidentialityImpact": "NOT_DEFINED",
                        "modifiedVulnConfidentialityImpact": "NOT_DEFINED"
                    }
                }
            ]
        },
        "published": "2026-03-21T01:17:06.547",
        "references": [
            {
                "url": "https://github.com/openclaw/openclaw/commit/8d1481cb4a9d31bd617e52dc8c392c35689d9dea",
                "tags": [
                    "Patch"
                ],
                "source": "disclosure@vulncheck.com"
            },
            {
                "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-553v-f69r-656j",
                "tags": [
                    "Vendor Advisory"
                ],
                "source": "disclosure@vulncheck.com"
            },
            {
                "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-unpaired-device-identity-in-shared-gateway-authentication",
                "tags": [
                    "Third Party Advisory"
                ],
                "source": "disclosure@vulncheck.com"
            }
        ],
        "vulnStatus": "Analyzed",
        "weaknesses": [
            {
                "type": "Primary",
                "source": "disclosure@vulncheck.com",
                "description": [
                    {
                        "lang": "en",
                        "value": "CWE-863"
                    }
                ]
            }
        ],
        "descriptions": [
            {
                "lang": "en",
                "value": "OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present a self-signed unpaired device identity to request and obtain higher operator scopes before pairing approval is granted."
            },
            {
                "lang": "es",
                "value": "Las versiones de OpenClaw 2026.2.22 anteriores a 2026.2.25 contienen una vulnerabilidad de escalada de privilegios que permite a las identidades de dispositivos no emparejados eludir los requisitos de emparejamiento del operador y autoasignarse \u00e1mbitos de operador elevados, incluyendo operator.admin. Atacantes con autenticaci\u00f3n de pasarela compartida v\u00e1lida pueden presentar una identidad de dispositivo no emparejado autofirmada para solicitar y obtener \u00e1mbitos de operador superiores antes de que se conceda la aprobaci\u00f3n de emparejamiento."
            }
        ],
        "lastModified": "2026-03-23T17:10:21.597",
        "configurations": [
            {
                "nodes": [
                    {
                        "negate": false,
                        "cpeMatch": [
                            {
                                "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
                                "vulnerable": true,
                                "matchCriteriaId": "FDF31716-7509-4E57-AB22-3B52A6D24574",
                                "versionEndExcluding": "2026.2.25",
                                "versionStartIncluding": "2026.2.22"
                            }
                        ],
                        "operator": "OR"
                    }
                ]
            }
        ],
        "sourceIdentifier": "disclosure@vulncheck.com"
    }
}