CVE-2026-42422 HIGH

CVE-2026-42422: OpenClaw < 2026.4.8 - Role Bypass in device.token.rotate Function

Vendor Openclaw

Product OpenClaw

Weakness CWE-863 · Incorrect authorization

Published April 28, 2026

Last update April 29, 2026

View on NVD All CVEs

CVSS base score

7.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval.

Key dates

02Disclosure timeline

April 28, 2026 CVE published

April 29, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-42422

Related vulnerabilities

04Related CVE

CVE-2025-24872 Missing Authorization check in SAP ABAP Platform (ABAP Build Framework) CVE-2025-15525 Ajax Load More – Infinite Scroll, Lazy Load & Load More <= 7.8.1 - Incorrect Authorization to Unauthenticated Private/Draft Post Title and Excerpt Exposure CVE-2026-3526 File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021 CVE-2026-22595 Ghost has Staff Token permission bypass CVE-2024-28148 Apache Superset: Incorrect datasource authorization on explore REST API