What is CVE-2026-32922?

A CVSS 9.9 privilege escalation vulnerability in OpenClaw device.token.rotate that lets any paired device escalate to full admin with one API call.

How does CVE-2026-32922 work?

The rotateDeviceToken function accepts a scopes parameter from the caller and passes it to buildDeviceAuthToken without verifying scopes are a subset of the callers existing scope set.

Which OpenClaw versions are affected by CVE-2026-32922?

All versions before v2026.3.11. The fix shipped on March 13, 2026.

How many OpenClaw CVEs were disclosed in March 2026?

Nine CVEs in four days (March 18-21), with 137 total security advisories tracked between February and April 2026.

How do I fix CVE-2026-32922 in my OpenClaw instance?

Update to OpenClaw v2026.3.11 or later. The patch adds scope validation in device.token.rotate to constrain new token scopes.

What is the CVSS score for CVE-2026-32922?

9.9 on CVSS 3.1 and 9.4 on CVSS 4.0, making it the most critical vulnerability in OpenClaw history.

Can CVE-2026-32922 lead to remote code execution?

Yes. After escalating to operator.admin, an attacker can execute arbitrary commands across every connected node.

← Back to dashboard

clawsmith.com/signal/cve-2026-32922-cvss-99-privilege-escalation-openclaw

⚠ IssueWide OpenLive

CVE-2026-32922: CVSS 9.9 Privilege Escalation Lets Any Paired Device Become Full Admin

OpenClaw's device.token.rotate function fails to constrain new token scopes to the caller's existing scope set. Any device with operator.pairing scope can request and receive operator.admin in one API call. CVSS 9.9. Fixed in v2026.3.11. 137 total security advisories tracked between February and April 2026.

Product Idea from this Signal

A CLI tool that audits OpenClaw device token scopes and blocks privilege escalation paths before attackers exploit them

920 ▲

CVE-2026-32922 (CVSS 9.9) proved that a single API call to device.token.rotate can escalate any paired device to full admin. The root cause was missing scope validation, but the broader problem is that OpenClaw operators have zero visibility into which devices hold what scopes, which tokens have been rotated suspiciously, and whether their instance is still vulnerable. 137 security advisories were filed in 60 days. This CLI tool continuously audits device tokens, flags over-scoped devices, detects rotation anomalies, and blocks escalation attempts at the gateway level.

SECURITYCLIDEVTOOLOPEN-SOURCE

CompetitiveView Opportunity →