CVE-2026-35639
HIGHOpenClaw < 2026.3.22 - Privilege Escalation via device.pair.approve Scope Validation
Title source: cnaDescription
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader operator scopes than the approver actually holds. Attackers can exploit insufficient scope validation to escalate privileges to operator.admin and achieve remote code execution on the Node infrastructure.
References (4)
Core 4
Core References
Third Party Advisory third-party-advisory
GitHub Security Advisory (GHSA-hf68-49fm-59cq)
https://github.com/openclaw/openclaw/security/advisories/GHSA-hf68-49fm-59cq
Patch patch
Patch Commit #1
https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87
Patch patch
Patch Commit #2
https://github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.3.22 - Privilege Escalation via device.pair.approve Scope Validation
https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-device-pair-approve-scope-validation
Scores
CVSS v3
8.8
EPSS
0.0046
EPSS Percentile
36.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-648
Status
published
Products (4)
npm/openclaw
0 - 2026.3.22npm
OpenClaw/OpenClaw
< 2026.3.22
openclaw/openclaw
< 2026.3.22
OpenClaw/OpenClaw
2026.3.22
Published
Apr 09, 2026
Tracked Since
Apr 10, 2026