CVE-2026-32042
Published: 21 March 2026
Summary
CVE-2026-32042 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification and authentication of devices before establishing connections, preventing unpaired self-signed device identities from bypassing pairing and obtaining elevated scopes.
Enforces approved authorizations for access to resources, directly addressing the incorrect authorization that allows privilege escalation via unpaired device identities.
Limits privileges to the least necessary, mitigating the impact of self-assignment of elevated operator scopes including admin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Privilege escalation vulnerability (CWE-863) allows low-privileged remote attackers to bypass authorization and self-assign elevated operator.admin scopes, directly enabling Exploitation for Privilege Escalation (T1068).
NVD Description
OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present a self-signed unpaired device identity…
more
to request and obtain higher operator scopes before pairing approval is granted.
Deeper analysisAI
CVE-2026-32042 is a privilege escalation vulnerability (CWE-863: Incorrect Authorization) in OpenClaw versions 2026.2.22 prior to 2026.2.25. The issue allows unpaired device identities to bypass operator pairing requirements, enabling self-assignment of elevated operator scopes, including operator.admin.
Attackers with valid shared gateway authentication can exploit this vulnerability remotely over the network with low complexity, low privileges, and no user interaction. By presenting a self-signed unpaired device identity, they can request and obtain higher operator scopes before pairing approval is granted, resulting in high impacts to confidentiality, integrity, and availability, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Advisories recommend upgrading to OpenClaw version 2026.2.25 or later to mitigate the vulnerability. A fixing commit is available at https://github.com/openclaw/openclaw/commit/8d1481cb4a9d31bd617e52dc8c392c35689d9dea, with further details in the GitHub Security Advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-553v-f69r-656j and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-unpaired-device-identity-in-shared-gateway-authentication.
Details
- CWE(s)