OpenClaw Privilege Escalation Vulnerability (CVE-2026-32922)
OpenClaw before 2026.3.11 is vulnerable to privilege escalation in the device.token.rotate function, allowing attackers with limited operator.pairing scope to mint tokens with elevated operator.admin privileges, potentially leading to remote code execution.
OpenClaw versions prior to 2026.3.11 are susceptible to a critical privilege escalation vulnerability identified as CVE-2026-32922. This flaw resides within the device.token.rotate function. Attackers who have already gained operator.pairing scope can exploit this vulnerability to mint new tokens with broader, unauthorized scopes, due to a failure in the application to properly constrain the newly minted scopes. This allows attackers to elevate their privileges to operator.admin on paired…
Detection coverage 2
Detect OpenClaw Token Rotation Exploit Attempt
highDetects attempts to exploit CVE-2026-32922 by monitoring HTTP POST requests to the /device.token.rotate endpoint, potentially indicating unauthorized token minting.
Detect OpenClaw system.run execution
criticalDetects execution of system.run, which is used to run arbitrary code on connected nodes. This can be used as a follow-up to a successful exploit of CVE-2026-32922
Detection queries are kept inside the platform. Get full rules →
Indicators of compromise
2