High severity8.8NVD Advisory· Published Apr 9, 2026· Updated Apr 15, 2026
CVE-2026-35639
CVE-2026-35639
Description
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader operator scopes than the approver actually holds. Attackers can exploit insufficient scope validation to escalate privileges to operator.admin and achieve remote code execution on the Node infrastructure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.22 | 2026.3.22 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87nvdPatchWEB
- github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4nvdPatchWEB
- github.com/advisories/GHSA-hf68-49fm-59cqghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-hf68-49fm-59cqnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-35639ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-privilege-escalation-via-device-pair-approve-scope-validationnvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.