What is the CVSS score of CVE-2026-32042?

CVE-2026-32042 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of OpenClaw are affected by CVE-2026-32042?

Authenticated users of OpenClaw versions 2026.2.22-2026.2.24 can illegally escalate their privileges to administrator level by bypassing device pairing controls, potentially allowing unauthorized…. A patch is available.

Is there a public PoC exploit available for CVE-2026-32042?

Yes, a public proof-of-concept exploit is available for CVE-2026-32042. Prioritise patching immediately. EPSS: 0.1%.

OpenClaw CVE-2026-32042

EUVD-2026-13933 HIGH

Incorrect Authorization (CWE-863)

2026-03-21 VulnCheck

GHSA-r3gm-fv85-xjqj

Authentication Bypass Privilege Escalation

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

PoC Detected

Mar 23, 2026 - 17:10 vuln.today

Public exploit code

EUVD ID Assigned

Mar 21, 2026 - 01:00 euvd

EUVD-2026-13933

Analysis Generated

Mar 21, 2026 - 01:00 vuln.today

Patch released

Mar 21, 2026 - 01:00 nvd

Patch available

CVE Published

Mar 21, 2026 - 00:42 nvd

HIGH 8.8

DescriptionNVD

OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present a self-signed unpaired device identity to request and obtain higher operator scopes before pairing approval is granted.

AnalysisAI

OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated attackers to bypass device pairing requirements and self-assign elevated operator.admin scopes. Attackers with valid shared gateway authentication credentials can present self-signed unpaired device identities to obtain administrator privileges before pairing approval is granted. …

RemediationAI

Within 24 hours: Identify all systems running OpenClaw 2026.2.22-2026.2.24 and assess exposure scope; notify relevant teams and restrict administrative access where possible. Within 7 days: Apply vendor patch to all affected OpenClaw instances and validate successful deployment through system testing. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-32042 vulnerability details – vuln.today

Back

OpenClaw CVE-2026-32042

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code