HIGHCVE-2026-42426Published 2026-04-28Modified 2026-04-29CNA VulnCheck

CVE-2026-42426: OpenClaw < 2026.4.8 - Improper Authorization in node.pair.approve via operator.write Scope

OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairing approval restrictions to gain unauthorized access to exec-capable nodes.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 2026.4.8
Affected Products: 1

Fix available

2026.4.8

Patch commits

Patch Commit

Affected packages

OpenClaw / OpenClaw
< 2026.4.8 (from 0)
Fixed in 2026.4.8

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-67mf-f936-ppxf)
Patch Commit
VulnCheck Advisory: OpenClaw < 2026.4.8 - Improper Authorization in node.pair.approve via operator.write Scope

Metrics

Fix available