PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42429 OpenClaw CVE debrief

A privilege escalation vulnerability exists in OpenClaw versions prior to 2026.4.8, specifically within the gateway plugin's HTTP authentication mechanism. The flaw allows an attacker with operator.read permissions to escalate to operator.write permissions on runtime operations by sending read-scoped requests through the gateway authentication route. This represents an incorrect authorization control (CWE-863) where the authentication layer fails to properly enforce scope boundaries between read and write operations. The vulnerability has a CVSS 4.0 base score of 6.0 (MEDIUM severity), indicating moderate risk with network attack vector, low attack complexity, and low privileges required. The issue was disclosed on April 28, 2026, with the NVD record subsequently modified on May 26, 2026. A patch is available via commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5, and the vendor has published a security advisory. Organizations using affected OpenClaw versions should prioritize upgrading to version 2026.4.8 or later, particularly if the gateway plugin is deployed in production environments with multi-tenant or role-separated access controls.

Vendor
OpenClaw
Product
Unknown
CVSS
MEDIUM 6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-28
Original CVE updated
2026-05-26
Advisory published
2026-04-28
Advisory updated
2026-05-26

Who should care

Organizations running OpenClaw with the gateway plugin enabled, particularly those with multi-tenant deployments, role-based access control implementations, or environments where read-only operators require restricted access to runtime operations. Security teams responsible for authentication and authorization infrastructure, DevOps engineers managing OpenClaw deployments, and compliance officers monitoring for privilege escalation risks should prioritize this remediation.

Technical summary

The vulnerability resides in OpenClaw's gateway plugin HTTP authentication mechanism, where insufficient authorization checks allow identity-bearing requests with operator.read scope to be processed with operator.write permissions. The authentication layer fails to validate that the requested operation scope matches the granted permissions, enabling privilege escalation through the gateway auth route. This affects all OpenClaw versions prior to 2026.4.8 on Node.js. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N) indicates network accessibility, low attack complexity, low privilege requirements, and high integrity impact on the vulnerable component. The patch commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5 addresses the authorization logic flaw.

Defensive priority

medium

Recommended defensive actions

  • Upgrade OpenClaw to version 2026.4.8 or later to remediate the privilege escalation vulnerability in the gateway plugin
  • Review and audit existing operator.read role assignments to identify potential exposure to unauthorized write access
  • Verify that gateway plugin HTTP authentication configurations enforce proper scope separation between read and write operations
  • Monitor runtime operation logs for anomalous write activity from accounts with read-only permissions
  • Apply principle of least privilege by restricting gateway authentication route access to necessary operators only
  • Review the vendor security advisory for additional configuration guidance specific to your deployment environment

Evidence notes

Vulnerability confirmed through official NVD record with CVSS 4.0 vector. Patch commit and vendor advisory available. Third-party analysis from VulnCheck provides additional technical context. CPE criteria confirms affected versions are all releases prior to 2026.4.8 on Node.js platform.

Official resources

2026-04-28T19:37:46.773Z