LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-32922

CVE-2026-32922 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: March 29, 2026

OpenClaw - Privilege Escalation

Published: March 29, 2026Updated: March 29, 2026Remote Exploitable

Overview

OpenClaw < 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate caused by failure to constrain minted token scopes, letting attackers with operator.pairing scope mint broader tokens and gain admin access, exploit requires operator.pairing scope.

Severity & Score

Severity: Critical
CVSS Score: 9.9
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can escalate privileges to admin, execute remote code, and gain unauthorized gateway-admin access.

Mitigation

Update to version 2026.3.11 or later.

References

Social Media Activity(4 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Mar 29, 2026

šŸ”“ CVE-2026-32922 - Critical (9.9) OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that allows callers with operator.pairing scope to mint tokens with broader scopes by failing to constrain newly minted scopes to the caller's current s... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-32922/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 29, 2026

šŸ”“ CVE-2026-32922 - Critical (9.9) OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that allows callers with operator.pairing scope to mint tokens with broader scopes by failing to constrain newly minted scopes to the caller's current s... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-32922/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 29, 2026

šŸ”“ CVE-2026-32922 - Critical (9.9) OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that allows callers with operator.pairing scope to mint tokens with broader scopes by failing to constrain newly minted scopes to the caller's current s... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-32922/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 29, 2026

šŸ”“ CVE-2026-32922 - Critical (9.9) OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that allows callers with operator.pairing scope to mint tokens with broader scopes by failing to constrain newly minted scopes to the caller's current s... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-32922/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-32922
Severity
Critical
CVSS Score
9.9
Type
broken_access_control
Status
new
EPSS
0.0%
Social Posts
4

CWE

  • CWE-266

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

0.0%Probability of exploitation in the next 30 days