A critical privilege escalation vulnerability in OpenClaw (CVSS 9.9) allows any caller holding a low-privilege operator.pairing token to obtain a fully privileged operator.admin token, then execute code on all connected nodes. The vulnerability was disclosed March 29, 2026 and patched in version 2026.3.11.
The flaw is in OpenClaw's device.token.rotate function, which fails to constrain the scope of newly minted tokens to the caller's existing privilege set — a classic confused-deputy pattern applied to agent identity management. From an operator.admin token, RCE on all connected nodes is one API call away.
Over 135,000 internet-facing OpenClaw instances were detected in February 2026, with 63% running without authentication. OpenClaw acts as the control plane connecting messaging platforms (Telegram, WhatsApp, Slack, Discord) to LLM backends — a successful exploit gives attackers full control over every AI agent and channel integration in an organization's stack.
Immediate action: Upgrade to OpenClaw v2026.3.11 immediately. If patching is not immediately possible, place the OpenClaw gateway behind authentication and restrict port 18789 from public internet exposure.