A critical privilege escalation vulnerability in OpenClaw (CVE-2026-32922, CVSS 9.9) allows any authenticated device with basic operator.pairing scope to escalate to full administrative control and achieve remote code execution on all connected nodes. The flaw was disclosed on March 29, 2026, and a fix is available in version 2026.3.11.
Given OpenClaw’s scale — over 340,000 GitHub stars and an estimated 135,000+ internet-exposed instances — this is one of the more consequential infrastructure vulnerabilities disclosed this year.
What Happened
The vulnerability lives in OpenClaw’s rotateDeviceToken function in src/infra/device-pairing.ts (lines 289–312). When a device calls the device.token.rotate endpoint, the function accepts a scopes parameter from the caller and passes it directly to buildDeviceAuthToken without verifying that the requested scopes are a subset of the caller’s existing scope set.
In practical terms: any device that has been paired with at least operator.pairing scope can request a new token with operator.admin or gateway-admin privileges. The system hands it over, no questions asked.
The Exploit Chain
The attack is straightforward and requires no special tooling:
- An attacker compromises or controls any device paired to an OpenClaw gateway with
operator.pairingscope — the minimum scope granted during standard device onboarding. - The attacker calls
device.token.rotateand requests a token withoperator.adminscope. - OpenClaw mints the elevated token without validation.
- With
operator.admin, the attacker can invokesystem.runon any connected node, achieving arbitrary command execution. - Alternatively, escalating to
gateway-admingrants full control over the gateway itself, including configuration changes, node enrollment, and network policy modification.
A single API call converts a low-privilege pairing token into complete infrastructure compromise.
Impact
The blast radius here is significant:
- Direct RCE on any node connected to the compromised gateway via
system.run - Full gateway takeover through
gateway-adminscope, allowing the attacker to modify network policies, enroll rogue nodes, or pivot laterally - Lateral movement across all devices managed by the gateway
- No user interaction required — exploitation is fully automated once a pairing token is obtained
Organizations running OpenClaw as part of their IoT or edge infrastructure management stack should treat this as a critical incident. The minimal prerequisites (any paired device) and maximum impact (full RCE + gateway control) make this an attractive target for both opportunistic and targeted attackers.
Affected Versions
All OpenClaw versions prior to 2026.3.11 are vulnerable.
Remediation
Upgrade to OpenClaw 2026.3.11 or later immediately. The fix introduces a scopeIntersection function in src/routes/device-pair.js that enforces caller-scope subsetting — newly minted tokens can only contain scopes that the caller already possesses.
If you cannot upgrade immediately:
- Audit paired devices: Review all devices with
operator.pairingscope and revoke tokens for any that are unrecognized or unnecessary - Monitor for anomalous token rotations: Look for
device.token.rotatecalls where the requested scope set differs from the caller’s existing scopes - Network segmentation: Restrict which nodes can reach the
device.token.rotateendpoint at the network level - Rotate all device tokens after upgrading to invalidate any potentially escalated tokens
Timeline
- 2026-03-29: CVE-2026-32922 publicly disclosed
- 2026-03-29: OpenClaw 2026.3.11 released with fix
- 2026-04-09: 135,000+ instances remain internet-exposed per Shodan data