Scope bug lets OpenClaw mint admin device tokens

TL;DR — OpenClaw’s device.token.rotate can let pairing-scoped callers mint operator.admin tokens for paired devices, enabling gateway admin takeover and potentially node-level remote code execution.

What happened

OpenClaw is an npm-distributed automation/agent platform that issues scoped tokens for controlling gateways and connected devices/nodes.

CVE-2026-32922 reports a critical privilege escalation in OpenClaw’s device.token.rotate: callers with only operator.pairing scope can mint a new token with broader scopes because the server fails to constrain the newly minted scopes to the caller’s current scope set. In practical terms, an attacker can obtain operator.admin tokens for paired devices and then (depending on deployment) use that privilege to reach remote code execution on connected nodes via system.run, or gain unauthorized gateway-admin access.

The CVE lists CVSS v3.1 base score 9.9 (Critical) with network attack vector and low required privileges. This is a high-blast-radius class of bug for agent/automation systems: once scope boundaries collapse, “token minting” becomes an escalation primitive that can turn routine operational permissions into infrastructure-level execution.

Who is impacted

• Deployments using openclaw (npm) versions before 2026.3.11.
• Environments where untrusted or semi-trusted operators/services hold operator.pairing and can call device.token.rotate.
• Highest-risk deployments are those with connected node hosts/companions that expose privileged execution surfaces such as system.run.

Note: the CVE record and GHSA differ on the affected upper bound (<= 2026.3.8 vs < 2026.3.11); treat the exposure window conservatively until you validate against your deployed build.

What to do now

• Follow vendor remediation guidance and apply a release that includes the fix.

  • "Upgrade to 2026.3.11 or later."

• Inventory where openclaw is deployed (lockfiles, container images, build artifacts) and identify services/users with operator.pairing capability.
• Assume tokens minted via device.token.rotate may be an escalation path in affected deployments:
  • Review audit logs (or equivalent) for device.token.rotate usage and unexpected scope changes.
  • Rotate credentials/tokens associated with gateways and paired devices if you cannot rule out abuse.
• If your deployment exposes node execution tooling (e.g., system.run), treat this as an app-layer pathway to infrastructure compromise: prioritize patching those environments first and validate that admin-level actions were not performed by unexpected principals.