{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-42422/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-42422"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["role-bypass","privilege-escalation","cve-2026-42422"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw, a yet-to-be-defined software, is vulnerable to a role bypass flaw affecting versions prior to 2026.4.8. This vulnerability, identified as CVE-2026-42422, resides within the \u003ccode\u003edevice.token.rotate\u003c/code\u003e function. Attackers can exploit this weakness to mint tokens associated with roles that have not undergone proper authorization. The core issue lies in the ability to bypass the intended device role-upgrade pairing mechanism, granting unauthorized access to roles and scopes. This circumvention allows malicious actors to either maintain existing roles illegitimately or create new ones without appropriate approval, potentially leading to significant privilege escalation and unauthorized data access within the affected system. Defenders need to ensure they are running at least version 2026.4.8.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OpenClaw instance running a version prior to 2026.4.8.\u003c/li\u003e\n\u003cli\u003eAttacker interacts with the \u003ccode\u003edevice.token.rotate\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to mint a token, specifying an unapproved role.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the system incorrectly validates the request.\u003c/li\u003e\n\u003cli\u003eA token is minted successfully with the unapproved role.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the minted token to authenticate to the OpenClaw instance.\u003c/li\u003e\n\u003cli\u003eThe attacker now has access to resources and functionalities associated with the unapproved role.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions with elevated privileges, bypassing intended access controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-42422 allows attackers to bypass intended authorization mechanisms within OpenClaw. This can lead to significant privilege escalation, potentially granting unauthorized access to sensitive data and critical system functionalities. The impact depends on the specific roles and scopes that can be minted, but it could range from data breaches to complete system compromise. While the exact number of affected systems remains unclear, any OpenClaw deployment prior to version 2026.4.8 is vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all OpenClaw installations to version 2026.4.8 or later to remediate CVE-2026-42422.\u003c/li\u003e\n\u003cli\u003eMonitor logs for unusual activity related to the \u003ccode\u003edevice.token.rotate\u003c/code\u003e function, particularly requests attempting to mint tokens with unexpected or unapproved roles.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect OpenClaw Token Minting with Unapproved Roles\u0026rdquo; to detect exploitation attempts targeting CVE-2026-42422.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-role-bypass/","summary":"OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function, allowing attackers to mint tokens for unapproved roles and bypass intended approval processes.","title":"OpenClaw Role Bypass Vulnerability in device.token.rotate Function","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-role-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-42422","version":"https://jsonfeed.org/version/1.1"}