CVE-2026-42432
Published: 28 April 2026
Summary
CVE-2026-42432 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-42432 is a privilege escalation vulnerability in OpenClaw versions prior to 2026.4.8. It stems from a flaw (CWE-863: Incorrect Authorization) that permits previously paired nodes to reconnect and issue exec-capable commands without the required operator.admin scope. This bypasses re-pairing authentication, enabling execution of privileged commands on the local assistant system. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-28.
A local attacker with low privileges (PR:L) who has access to previously paired nodes can exploit this issue with low complexity and no user interaction. By reconnecting a paired node, the attacker bypasses authentication controls to execute arbitrary privileged commands on the local assistant system, potentially leading to high-impact confidentiality, integrity, and availability compromises, such as full system compromise.
Mitigation is addressed in OpenClaw 2026.4.8 via a patch in commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. Security practitioners should consult the GitHub security advisory (GHSA-5wj5-87vq-39xm) and VulnCheck advisory for detailed remediation steps, including upgrading affected installations and reviewing node pairing configurations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26134
Vulnerability details
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without the operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a local privilege escalation via incorrect authorization (CWE-863) that bypasses authentication to execute privileged commands, directly enabling T1068 Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization decisions so that exec-capable commands require the operator.admin scope even for previously paired nodes.
Enforces least-privilege scoping so paired nodes cannot obtain privileged command execution without explicit operator.admin rights.
Requires proper device identification and authentication on every reconnection attempt, blocking the re-pairing bypass.