Vulnerability Details CVE-2026-32042
OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present a self-signed unpaired device identity to request and obtain higher operator scopes before pairing approval is granted.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 26.9%
CVSS Severity
CVSS v3 Score 8.8
References