CVE-2026-42429
Published: 28 April 2026
Summary
CVE-2026-42429 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations in the gateway plugin's HTTP authentication mechanism to prevent widening read-scoped requests into unauthorized write permissions.
Applies least privilege to block privilege escalation from operator.read to operator.write access in runtime operations.
Requires correct access control decisions by the gateway auth route to deny write access on read-scoped identity-bearing requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE explicitly describes a privilege escalation vulnerability (CWE-863) in the gateway plugin's HTTP authentication mechanism, allowing low-privileged users to improperly gain write permissions from read-scoped requests, directly mapping to exploitation for privilege escalation.
NVD Description
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that widens identity-bearing operator.read requests into runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway auth route to gain unauthorized…
more
write access to runtime operations.
Deeper analysisAI
CVE-2026-42429, published on 2026-04-28, is a privilege escalation vulnerability (CWE-863) rated at CVSS 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N) affecting OpenClaw versions before 2026.4.8. The issue resides in the gateway plugin's HTTP authentication mechanism, which improperly widens identity-bearing operator.read requests into runtime operator.write permissions.
An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity and no user interaction by sending read-scoped requests through the gateway auth route. Successful exploitation grants unauthorized write access to runtime operations, resulting in high integrity impact while causing low confidentiality impact and no availability impact.
Mitigation is available via the patch in OpenClaw commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5, which corresponds to version 2026.4.8. Additional details on remediation are provided in the GitHub security advisory at GHSA-4f8g-77mw-3rxc and the VulnCheck advisory.
Details
- CWE(s)