Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5Blast Radius
ecosystem impact- 3 npm packages depend on openclaw (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.24.
DescriptionCVE.org
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability where silent local shared-auth reconnects auto-approve scope-upgrade requests, widening paired device permissions from operator.read to operator.admin. Attackers can exploit this by triggering local reconnection to silently escalate privileges and achieve remote code execution on the node.
AnalysisAI
Privilege escalation in OpenClaw (versions prior to 2026.3.25) enables authenticated local attackers to silently elevate permissions from operator.read to operator.admin during shared-auth reconnection events, achieving remote code execution on affected nodes. The vulnerability exploits auto-approval of scope-upgrade requests in local reconnection flows, requiring low-privilege local access (PR:L) with no user interaction. No public exploit identified at time of analysis. Vendor-released patch available via commit 81ebc7e0344fd19c85778e883bad45e2da972229.
Technical ContextAI
CWE-648 (Incorrect Use of Privileged APIs) stems from shared-authentication reconnection logic failing to validate scope-upgrade requests. Local reconnection triggers silent auto-approval, escalating operator.read permissions to operator.admin without authorization checks. Exploitation chain: trigger local reconnect → auto-approve scope upgrade → execute privileged operations → achieve RCE on node infrastructure. Affects all OpenClaw versions prior to 2026.3.25.
RemediationAI
Vendor-released patch: Upgrade to OpenClaw version 2026.3.25 or later. Apply commit 81ebc7e0344fd19c85778e883bad45e2da972229 from upstream repository if building from source. Organizations unable to immediately patch should restrict local access to OpenClaw nodes, disable shared-authentication reconnection features in configuration files, or implement strict authorization controls for paired devices. Review audit logs for suspicious operator permission escalations from operator.read to operator.admin during reconnection events. Vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-fqw4-mph7-2vr8. Patch commit details: https://github.com/openclaw/openclaw/commit/81ebc7e0344fd19c85778e883bad45e2da972229. Additional technical analysis: https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-silent-local-shared-auth-reconnect.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-648 – Incorrect Use of Privileged APIs
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21108
GHSA-8vgj-c3fx-pprx