What is CVE-2026-42426?

CVE-2026-42426 is a high-severity vulnerability in Openclaw, classified under Incorrect Authorization. CVSS score: 8.8/10. Published 2026-04-28.

How severe is CVE-2026-42426?

High severity. CVSS v3 base score is 8.8 out of 10.

Auth bypass in Openclaw

CVE-2026-42426

OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing…

Vulnerability class: Broken Access Control

EPSS: 0.000 (12.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Openclaw — versions 0, 2026.4.8

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

GitHub Security Advisory (GHSA-67mf-f936-ppxf) (vendor-advisory, Vendor Advisory)
Patch Commit (Patch, patch)
VulnCheck Advisory: OpenClaw < 2026.4.8 - Improper Authorization in node.pair.approve via operator.write Scope (Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2026-42426?: CVE-2026-42426 is a high-severity vulnerability in Openclaw, classified under Incorrect Authorization. CVSS score: 8.8/10. Published 2026-04-28.
How severe is CVE-2026-42426?: High severity. CVSS v3 base score is 8.8 out of 10.