EUVD-2026-17003
GHSA-x8qx-w8w2-g4rx
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Tags
Description
OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that allows callers with operator.pairing scope to mint tokens with broader scopes by failing to constrain newly minted scopes to the caller's current scope set. Attackers can obtain operator.admin tokens for paired devices and achieve remote code execution on connected nodes via system.run or gain unauthorized gateway-admin access.
Analysis
Privilege escalation in OpenClaw device token rotation (versions before 2026.3.11) enables authenticated attackers with operator.pairing scope to mint tokens with arbitrary elevated scopes, including operator.admin privileges. This scope validation bypass permits remote code execution on connected nodes via system.run API and unauthorized gateway-admin access. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all OpenClaw deployments and document current versions in use; restrict operator.pairing scope assignments to only essential personnel and audit existing role assignments. Within 7 days: Upgrade all OpenClaw instances to version 2026.3.11 or later; verify successful deployment across all nodes. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today