Description
OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval.
Published: 2026-04-28
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: Unauthorized role/token minting
Action: Patch immediately
AI Analysis

Impact

OpenClaw versions prior to 2026.4.8 contain a role bypass flaw in the device.token.rotate function that lets an attacker mint or preserve tokens for roles that have not been approved, thereby granting elevated privileges. This weakness is an imprecise authorization check (CWE-863) that can compromise role integrity and potentially give attackers broad access to protected scopes.

Affected Systems

All OpenClaw deployments running any version earlier than 2026.4.8 on a Node.js platform are vulnerable; administrators and users interacting with the device.token.rotate API are at risk. The vulnerability impacts the OpenClaw application itself, which may be deployed in various device management environments.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity flaw. EPSS data is not available, but the lack of a KEV listing suggests no known active exploitation at the time of this analysis. The likely attack vector involves an authenticated user submitting requests to the token rotation endpoint, exploiting the missing approval check; therefore the flaw is exploitable in realistic operational contexts where such endpoints are exposed.

Generated by OpenCVE AI on April 28, 2026 at 22:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.8 or later to apply the vendor patch that fixes the token rotation logic.
  • Re‑configure the device.token.rotate endpoint to enforce role‑approval checks before minting tokens, ensuring that only approved roles can be granted.
  • Review and monitor audit logs for any unexpected token creation events that could indicate attempted bypass attempts.
  • Conduct a security review of role assignment workflows to verify that no other endpoints suffer similar authorization gaps.

Generated by OpenCVE AI on April 28, 2026 at 22:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval.
Title OpenClaw < 2026.4.8 - Role Bypass in device.token.rotate Function
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-29T13:04:25.035Z

Reserved: 2026-04-27T11:38:59.195Z

Link: CVE-2026-42422

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:45.950

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-42422

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:00:13Z

Weaknesses