Description
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system.
Published: 2026-04-28
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

OpenClaw before 2026.4.8 permits a vulnerability that lets a previously paired node reconnect and issue privileged, exec‑capable commands without requiring the operator.admin scope. This missing authority check allows an attacker who controls a node that has already been paired to elevate privileges on the local assistant system, potentially executing arbitrary commands, modifying data, or disrupting services. The flaw is a direct privilege escalation via an unstated scope enforcement failure, identified as CWE‑863.

Affected Systems

All installations of OpenClaw running a version earlier than 2026.4.8 are affected. The vulnerability applies to the OpenClaw application that runs on the node.js platform and uses its pairing feature to accept new connections from previously paired nodes.

Risk and Exploitability

The CVSS score of 7.3 classifies this issue as high severity. No EPSS data is available, indicating uncertainty about current exploitation rates, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector requires the attacker to own or compromise a node that has already been paired with the target system; once that node is able to initiate a reconnection, the attacker can execute privileged commands without additional authentication.

Generated by OpenCVE AI on April 28, 2026 at 22:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw 2026.4.8 or newer to apply the vendor fix
  • Enforce that only users with the operator.admin scope can reconnect nodes, modifying the pairing logic to validate scope before executing commands
  • Disable or restrict pairing of untrusted or remotely controlled nodes, limiting reconnection to trusted devices only
  • Review local assistant systems for evidence of unauthorized command execution and remove any compromised nodes

Generated by OpenCVE AI on April 28, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system.
Title OpenClaw < 2026.4.8 - Command Escalation via Node Pairing Reconnect Bypass
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-28T18:10:20.570Z

Reserved: 2026-04-27T11:40:07.151Z

Link: CVE-2026-42432

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:47.190

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-42432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:00:13Z

Weaknesses