CVE-2026-42422
Published: 28 April 2026
Summary
CVE-2026-42422 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires enforcement of approved authorizations for access to system resources, directly preventing the role bypass vulnerability in the device.token.rotate function.
Mandates timely identification, reporting, and correction of flaws like this authorization bypass, mitigating exploitation through patching as done in OpenClaw 2026.4.8.
Enforces least privilege principle, limiting the scope and impact of unauthorized roles and scopes minted via the bypassed token rotation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Role bypass in device.token.rotate allows minting tokens for unapproved roles/scopes, directly enabling exploitation for privilege escalation (T1068) and use of application access tokens for unauthorized access (T1527).
NVD Description
OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval.
Deeper analysisAI
CVE-2026-42422 is a role bypass vulnerability in OpenClaw versions before 2026.4.8, specifically within the device.token.rotate function. This flaw allows attackers to mint tokens for unapproved roles, bypassing the intended device role-upgrade pairing process to preserve or mint roles and scopes without undergoing proper approval. Published on 2026-04-28, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-863 (Incorrect Authorization).
The attack requires low privileges (PR:L) and is exploitable over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). A low-privileged attacker can invoke the vulnerable function to generate tokens granting unauthorized roles and scopes, potentially achieving high impacts on confidentiality, integrity, and availability by escalating access beyond intended approvals.
Mitigation is provided in OpenClaw 2026.4.8 through a fix in commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5, available at https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5. Further details appear in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-whf9-3hcx-gq54 and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-role-bypass-in-device-token-rotate-function.
Details
- CWE(s)