High severity8.8NVD Advisory· Published Apr 28, 2026· Updated Apr 30, 2026
CVE-2026-42426
CVE-2026-42426
Description
OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairing approval restrictions to gain unauthorized access to exec-capable nodes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.4.8 | 2026.4.8 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5nvdPatchWEB
- github.com/advisories/GHSA-67mf-f936-ppxfghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-67mf-f936-ppxfnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-42426ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-improper-authorization-in-node-pair-approve-via-operator-write-scopenvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.