Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-32042

OpenClaw unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth
Back to all
CVE

CVE-2026-32042

OpenClaw unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth

Summary

A client using shared gateway auth could attach an unpaired device identity and request elevated operator scopes (including operator.admin) before pairing approval, enabling privilege escalation.

Impact

Attackers with valid shared gateway auth could self-assign higher operator scopes by presenting a self-signed, unpaired device identity.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: >= 2026.2.22 <= 2026.2.24
  • Latest published npm at triage time: 2026.2.24
  • Planned patched release: 2026.2.25

Remediation

Require pairing for operator device-identity sessions authenticated with shared token/password auth (except existing control-ui trusted-proxy/control-ui bypass policy paths).

Fix Commit(s)

  • 8d1481cb4a9d31bd617e52dc8c392c35689d9dea

Release Process Note

patched_versions is pre-set to the release (>= 2026.2.25). Advisory published with npm release 2026.2.25.

OpenClaw thanks @tdjackey for reporting.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.7
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
8.8
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-553v-f69r-656j, https://github.com/openclaw/openclaw/commit/8d1481cb4a9d31bd617e52dc8c392c35689d9dea, https://github.com/openclaw/openclaw

Severity

8.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
8.8
EPSS Probability
0.00125%
EPSS Percentile
0.31294%
Introduced Version
2026.2.22
Fix Available
2026.2.25,2026.2.25-beta.1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading