Cyber Resilience

CVE-2026-42429

MediumPublic PoCUpdated

Published: 28 April 2026

Published
28 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 6.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 20.4th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42429 is a medium-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-42429, published on 2026-04-28, is a privilege escalation vulnerability (CWE-863) rated at CVSS 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N) affecting OpenClaw versions before 2026.4.8. The issue resides in the gateway plugin's HTTP authentication mechanism, which improperly widens identity-bearing operator.read requests into runtime operator.write permissions.

An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity and no user interaction by sending read-scoped requests through the gateway auth route. Successful exploitation grants unauthorized write access to runtime operations, resulting in high integrity impact while causing low confidentiality impact and no availability impact.

Mitigation is available via the patch in OpenClaw commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5, which corresponds to version 2026.4.8. Additional details on remediation are provided in the GitHub security advisory at GHSA-4f8g-77mw-3rxc and the VulnCheck advisory.

EU & UK References

Vulnerability details

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that escalates identity-bearing operator.read requests to runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway auth route to gain unauthorized…

more

write access to runtime operations.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE explicitly describes a privilege escalation vulnerability (CWE-863) in the gateway plugin's HTTP authentication mechanism, allowing low-privileged users to improperly gain write permissions from read-scoped requests, directly mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-41371Same product: Openclaw Openclaw
CVE-2026-41344Same product: Openclaw Openclaw
CVE-2026-41404Same product: Openclaw Openclaw
CVE-2026-41379Same product: Openclaw Openclaw
CVE-2026-32042Same product: Openclaw Openclaw
CVE-2026-32918Same product: Openclaw Openclaw
CVE-2026-33577Same product: Openclaw Openclaw
CVE-2026-42432Same product: Openclaw Openclaw
CVE-2026-32972Same product: Openclaw Openclaw
CVE-2026-32915Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.4.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces correct authorization decisions so that operator.read-scoped requests cannot be escalated to operator.write permissions via the gateway auth route.

prevent

Requires that identities are granted only the minimum privileges needed, preventing the read-to-write permission widening described in the CVE.

prevent

Ensures access-control decisions are made consistently and correctly for each request, blocking the flawed gateway plugin logic that converts read requests into write access.

References