Skip to content
CVSS 8.8 · HIGH

CVE-2026-42422

OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval.

Ver en NVD

Análisis

OpenClaw appears to be a niche device management or utility project rather than a widely used piece of infrastructure or dev tooling. While the auth bypass is severe for its users, it does not meet the threshold for general community interest in the MexicoDev stack.

Severidad

Puntaje: 8.8(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-863

EPSS

Probabilidad de explotación (próx. 30 días): 0.0004 (0.0%)
Percentil: 13.1%
EPSS: 2026-05-06

Afecta

openclaw:openclaw

Descripción técnica

OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval.

Publicada: 28/4/2026, 19:37:45
Última modificación: 30/4/2026, 14:04:50

Referencias

InicioEventosBlogRecursosEquipo