Main Vulnerability Database Vulnerabilities #VU125087

Incorrect authorization in OpenClaw - CVE-2026-32042

Published: April 7, 2026

Vulnerability identifier: #VU125087

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-32042

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in the operator pairing and scope assignment logic when attaching an unpaired device identity using shared gateway authentication. A remote user can present a self-signed, unpaired device identity and request elevated operator scopes to escalate privileges.

The issue can allow assignment of higher operator scopes, including operator.admin, before pairing approval.

How to mitigate CVE-2026-32042

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-553v-f69r-656j

Incorrect authorization in OpenClaw - CVE-2026-32042

Detailed vulnerability description

How to mitigate CVE-2026-32042

Sources

Please verify you're human