OpenClaw CVE-2026-42426: Improper Authorization Allows Node Pairing Bypass
The National Vulnerability Database has detailed CVE-2026-42426, a high-severity improper authorization vulnerability in OpenClaw versions prior to 2026.4.8. This flaw allows unprivileged users to approve node pairing due to the node.pair.approve method incorrectly accepting the broad operator.write scope instead of the more restrictive operator.pairing scope.
Attackers who possess operator.write permissions can exploit this weakness to bypass intended pairing approval restrictions. This grants them unauthorized access to exec-capable nodes, posing a significant risk for privilege escalation and system compromise. The CVSS score for this vulnerability is 8.8 (HIGH), underscoring its critical nature.
Defenders must recognize the implications: operator.write permissions, often considered less critical than full admin, can now be leveraged for deep system access. This shifts the attacker’s calculus, making lateral movement and privilege escalation easier once initial access is gained. Organizations using OpenClaw should prioritize patching immediately to mitigate this risk.
What This Means For You
- If your organization uses OpenClaw, immediately check your version and apply patches for CVE-2026-42426 if running anything before 2026.4.8. Audit permissions for `operator.write` scope and ensure it's only granted to truly privileged accounts, understanding its new potential for node pairing bypass.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42426: OpenClaw Node Pairing Bypass via Improper Authorization
title: CVE-2026-42426: OpenClaw Node Pairing Bypass via Improper Authorization
id: scw-2026-04-28-ai-1
status: experimental
level: critical
description: |
Detects the specific API endpoint '/api/v1/node.pair.approve' being called via POST, which is the target of the improper authorization vulnerability in OpenClaw CVE-2026-42426. This allows unprivileged users with operator.write scope to bypass pairing approval restrictions.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42426/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/v1/node.pair.approve'
cs-method:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42426 | Vulnerability | CVE-2026-42426 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 28, 2026 at 22:37 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Daily Security Digest — 2026-04-28
80 vulnerability disclosures (20 Critical, 60 High) and 25 curated intelligence stories from 9 sources.
CVE-2026-42431: OpenClaw Vulnerability Allows Persistent Browser Profile Mutation
CVE-2026-42431 — OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to...
OpenClaw CVE-2026-42422: Role Bypass Allows Unapproved Token Minting
CVE-2026-42422 — OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device...