Main Vulnerability Database Vulnerabilities #VU125283

#VU125283 Incorrect authorization in OpenClaw

Published: April 8, 2026

Vulnerability identifier: #VU125283

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-863

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
OpenClaw

Software vendor:
OpenClaw

Description

The vulnerability allows a local user to obtain tokens with unapproved roles or scopes.

The vulnerability exists due to improper access control in device.token.rotate when rotating device tokens. A local user can trigger token rotation to obtain tokens with roles or scopes that bypass the intended pairing approval.

This issue is scoped to the product's local trust model rather than a multi-tenant service boundary.

Remediation

Install security update from vendor's website.

External links

https://github.com/openclaw/openclaw/security/advisories/GHSA-whf9-3hcx-gq54

#VU125283 Incorrect authorization in OpenClaw

Description

Remediation

External links

Please verify you're human