Scan free
CRITICALCVE-2026-33577CVSS 9.8

CVE-2026-33577: Privilege Escalation in OpenClaw

Platform

nodejs

Component

openclaw

Fixed in

2026.3.28

2026.3.28

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-33577 represents a privilege escalation vulnerability within OpenClaw, specifically affecting the node pairing approval process. This flaw allows a lower-privileged operator to potentially gain elevated privileges on a paired node by approving requests with broader scopes than initially intended. Versions of OpenClaw prior to 2026.3.28 are vulnerable, and the fix is available in version 2026.3.28.

Impact and Attack Scenarios

The core impact of CVE-2026-33577 lies in the potential for privilege escalation. An attacker, operating with limited permissions, could exploit this vulnerability to approve a node pairing request that grants them significantly more access and control than they should possess. This could enable them to read sensitive data, modify configurations, or even execute arbitrary code on the paired node. The blast radius extends to any data or services accessible by the compromised node, potentially impacting the entire OpenClaw infrastructure. This vulnerability highlights a critical flaw in the access control mechanisms within OpenClaw’s node pairing process.

Exploitation Context

CVE-2026-33577 was publicly disclosed on 2026-04-01. There is currently no indication of active exploitation or a KEV listing. The vulnerability's severity is considered CRITICAL due to the potential for privilege escalation. Public proof-of-concept code is not currently available, but the vulnerability's nature suggests that it could be relatively straightforward to exploit once a suitable exploit is developed.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.01% (2% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentopenclaw
Vendorosv
Affected rangeFixed in
0 – 2026.3.282026.3.28
2026.3.28

Weakness Classification (CWE)

CWE-863

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-33577 is to immediately upgrade OpenClaw to version 2026.3.28 or later. This patched version includes the fix implemented in commit 4d7cc6bb4f which restricts node pairing approvals. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider implementing stricter access controls around node pairing approvals. Review existing approval policies and ensure that only authorized personnel with appropriate permissions can approve node requests. Monitor OpenClaw logs for any suspicious approval activity, particularly approvals granting unusually broad scopes. After upgrading, confirm the fix by attempting a node pairing request with a lower-privileged user and verifying that the approval process correctly enforces scope limitations.

How to fix

Update OpenClaw to version 2026.3.28 or later. This version corrects the insufficient scope validation in the node pairing approval path, preventing low-privilege operators from approving nodes with broader scopes. The update mitigates the risk of attackers extending privileges to paired nodes beyond their authorization level.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-33577 — Privilege Escalation in OpenClaw?

CVE-2026-33577 is a CRITICAL vulnerability in OpenClaw versions <= 2026.3.24 that allows a lower-privileged user to escalate privileges by approving node pairing requests with broader scopes.

Am I affected by CVE-2026-33577 in OpenClaw?

You are affected if you are running OpenClaw versions 2026.3.24 or earlier. Versions 2026.3.28 and later are patched.

How do I fix CVE-2026-33577 in OpenClaw?

Upgrade OpenClaw to version 2026.3.28 or later. The fix is implemented in commit 4d7cc6bb4f.

Is CVE-2026-33577 being actively exploited?

There is currently no evidence of active exploitation, but the vulnerability's severity warrants immediate attention and patching.

Where can I find the official OpenClaw advisory for CVE-2026-33577?

Refer to the OpenClaw security advisories on their official website or GitHub repository for the latest information and updates.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs