CVE-2026-42426
Published: 28 April 2026
Summary
CVE-2026-42426 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces least privilege by requiring the narrow operator.pairing scope for node pairing approvals instead of the broader operator.write scope exploited in this CVE.
Mandates enforcement of approved authorizations, directly mitigating the improper acceptance of operator.write scope in the node.pair.approve method.
Requires timely remediation of flaws like the scope validation error fixed in OpenClaw 2026.4.8, preventing exploitation and enabling recovery post-vulnerability disclosure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The remote improper authorization flaw in node.pair.approve enables low-privileged attackers to bypass scope checks for node pairing approval, directly facilitating exploitation of a public-facing application (T1190) to achieve privilege escalation and unauthorized node access (T1068).
NVD Description
OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairing approval restrictions to gain unauthorized…
more
access to exec-capable nodes.
Deeper analysisAI
CVE-2026-42426 is an improper authorization vulnerability (CWE-863) affecting OpenClaw versions prior to 2026.4.8. The issue resides in the node.pair.approve method, which incorrectly accepts the broader operator.write scope instead of the more restrictive operator.pairing scope. This flaw enables unprivileged users to approve node pairing without the necessary permissions, as disclosed on April 28, 2026, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Attackers require low privileges, specifically operator.write permissions, to exploit this vulnerability remotely over the network with low complexity and no user interaction. By calling the node.pair.approve method, they can bypass intended pairing approval restrictions, gaining unauthorized access to exec-capable nodes and potentially achieving high confidentiality, integrity, and availability impacts.
Mitigation involves upgrading to OpenClaw 2026.4.8 or later, where the commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5 addresses the scope validation issue. Official advisories, including the GitHub Security Advisory GHSA-67mf-f936-ppxf and Vulncheck's analysis, recommend immediate patching and review of operator permissions to enforce the operator.pairing scope for pairing operations.
Details
- CWE(s)