CVE-2026-32042
OpenClaw unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth
Description
### Summary A client using shared gateway auth could attach an unpaired device identity and request elevated operator scopes (including `operator.admin`) before pairing approval, enabling privilege escalation. ### Impact Attackers with valid shared gateway auth could self-assign higher operator scopes by presenting a self-signed, unpaired device identity. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `>= 2026.2.22 <= 2026.2.24` - Latest published npm at triage time: `2026.2.24` - Planned patched release: `2026.2.25` ### Remediation Require pairing for operator device-identity sessions authenticated with shared token/password auth (except existing control-ui trusted-proxy/control-ui bypass policy paths). ### Fix Commit(s) - `8d1481cb4a9d31bd617e52dc8c392c35689d9dea` ### Release Process Note `patched_versions` is pre-set to the release (`>= 2026.2.25`). Advisory published with npm release `2026.2.25`. OpenClaw thanks @tdjackey for reporting.
How to fix CVE-2026-32042
To remediate CVE-2026-32042, upgrade the affected package to a fixed version below.
- —upgrade to 2026.2.25 or later
Is CVE-2026-32042 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2026.2.22, < 2026.2.25
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |