CVE-2026-42432
Published: 28 April 2026
Summary
CVE-2026-42432 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-11 (Re-authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces system-wide approved authorizations for logical access, directly countering the incorrect authorization (CWE-863) that allows previously paired nodes to execute privileged commands without operator.admin scope.
Mandates re-authentication for privileged functions or context changes like node reconnection, mitigating the bypass of re-pairing authentication required for exec-capable commands.
Enforces least privilege to limit the scope and impact of privilege escalation even if authorization checks for paired node reconnection are bypassed.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a local privilege escalation via incorrect authorization (CWE-863) that bypasses authentication to execute privileged commands, directly enabling T1068 Exploitation for Privilege Escalation.
NVD Description
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system.
Deeper analysisAI
CVE-2026-42432 is a privilege escalation vulnerability in OpenClaw versions prior to 2026.4.8. It stems from a flaw (CWE-863: Incorrect Authorization) that permits previously paired nodes to reconnect and issue exec-capable commands without the required operator.admin scope. This bypasses re-pairing authentication, enabling execution of privileged commands on the local assistant system. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-28.
A local attacker with low privileges (PR:L) who has access to previously paired nodes can exploit this issue with low complexity and no user interaction. By reconnecting a paired node, the attacker bypasses authentication controls to execute arbitrary privileged commands on the local assistant system, potentially leading to high-impact confidentiality, integrity, and availability compromises, such as full system compromise.
Mitigation is addressed in OpenClaw 2026.4.8 via a patch in commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. Security practitioners should consult the GitHub security advisory (GHSA-5wj5-87vq-39xm) and VulnCheck advisory for detailed remediation steps, including upgrading affected installations and reviewing node pairing configurations.
Details
- CWE(s)