Main Vulnerability Database Vulnerabilities #VU125283

Incorrect authorization in OpenClaw - #VU125283

Published: April 8, 2026

Vulnerability identifier: #VU125283

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-863

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a local user to obtain tokens with unapproved roles or scopes.

The vulnerability exists due to improper access control in device.token.rotate when rotating device tokens. A local user can trigger token rotation to obtain tokens with roles or scopes that bypass the intended pairing approval.

This issue is scoped to the product's local trust model rather than a multi-tenant service boundary.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-whf9-3hcx-gq54

Incorrect authorization in OpenClaw - #VU125283

Detailed vulnerability description

Remediation

Sources

Please verify you're human