CVE-2026-42426
HIGHOpenClaw < 2026.4.8 - Improper Authorization in node.pair.approve via operator.write Scope
Title source: cnaDescription
OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairing approval restrictions to gain unauthorized access to exec-capable nodes.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-67mf-f936-ppxf)
https://github.com/openclaw/openclaw/security/advisories/GHSA-67mf-f936-ppxf
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.4.8 - Improper Authorization in node.pair.approve via operator.write Scope
https://www.vulncheck.com/advisories/openclaw-improper-authorization-in-node-pair-approve-via-operator-write-scope
Scores
CVSS v3
8.8
EPSS
0.0028
EPSS Percentile
19.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-863
Status
published
Products (4)
npm/openclaw
0 - 2026.4.8npm
OpenClaw/OpenClaw
< 2026.4.8
openclaw/openclaw
< 2026.4.8
OpenClaw/OpenClaw
2026.4.8
Published
Apr 28, 2026
Tracked Since
Apr 29, 2026