Role Bypass Vulnerability in OpenClaw by OpenClaw
CVE-2026-42422

7.7HIGH

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 28 April 2026

What is CVE-2026-42422?

OpenClaw versions prior to 2026.4.8 are susceptible to a role bypass vulnerability within the device.token.rotate function. This flaw allows attackers to mint tokens for unapproved roles, effectively bypassing the device role-upgrade pairing mechanism designed to safeguard role and scope approvals. As a result, unauthorized tokens can be created, leading to potential escalations in privileges and access to sensitive data.

Affected Version(s)

OpenClaw 0 < 2026.4.8

OpenClaw 2026.4.8

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://github.com/openclaw/openclaw/commit/d7c3210cd6f5f...

patch

https://www.vulncheck.com/advisories/openclaw-role-bypass...

third-party-advisory

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Apr 27, 2026

Credit

Nicky (@nicky-cc)

CVE-2026-42422 Data

JSON

Openclaw

What is CVE-2026-42422?

Affected Version(s)

References

CVSS V4

Timeline

Credit