Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.31.
DescriptionCVE.org
OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attackers with trusted paired node credentials can escalate privileges by leveraging unrestricted agent.request dispatch to achieve remote code execution on the gateway.
AnalysisAI
Remote code execution in OpenClaw gateway versions before 2026.3.31 allows attackers with trusted paired node credentials (role=node) to escalate privileges and execute arbitrary code on the gateway by abusing unrestricted agent.request dispatch functionality. The vulnerability stems from insufficient access controls on node.event agent requests, enabling low-privilege paired nodes to invoke gateway-side tools without restriction. EPSS exploitation probability and KEV status not yet available for this recently disclosed vulnerability, but a vendor patch and exploit details are publicly documented.
Technical ContextAI
OpenClaw is a distributed automation or orchestration platform that operates on a gateway-controller architecture with paired nodes communicating via event-based agent requests. The vulnerability (CWE-862: Missing Authorization) exists in the node.event agent request handling mechanism prior to version 2026.3.31. Paired nodes with role=node status are intended to have limited capabilities, but the gateway fails to properly validate authorization when processing agent.request dispatch commands. This authorization bypass allows low-privilege nodes to invoke gateway-side tools and functions that should be restricted to higher privilege contexts. The CVSS 4.0 vector indicates network-accessible attack requiring low privileges (PR:L) and attack complexity with present conditions (AT:P), resulting in complete compromise of gateway confidentiality, integrity, and availability (VC:H/VI:H/VA:H) with no impact to subsequent systems (SC:N/SI:N/SA:N).
RemediationAI
Upgrade immediately to OpenClaw version 2026.3.31 or later, which contains authorization fixes for node.event agent request handling as detailed in commit a77928b1087e90f2a8903f8e5aca6dec9237ac62 available at https://github.com/openclaw/openclaw/commit/a77928b1087e90f2a8903f8e5aca6dec9237ac62. If immediate patching is not feasible, implement compensating controls: disable or remove all paired nodes with role=node until patch deployment, restrict network access to the gateway's node.event endpoint to only trusted IP ranges using firewall rules (noting this reduces functionality and requires maintaining IP allowlists), and audit existing paired node credentials for unauthorized entries or compromised accounts. These workarounds significantly limit OpenClaw's distributed capabilities and should be considered temporary measures only. Review gateway logs for suspicious agent.request patterns from paired nodes prior to patching to identify potential exploitation attempts.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26087
GHSA-gjm7-hw8f-73rq