CVE-2026-62194
HIGHOpenClaw versions 2026.5.20 before 2026.6.9 contain a privilege escalation vulnerability in plugin install commands that allows lower-trust callers to execute or persist actions beyond their intended authorization. Attackers can exploit misconfigured input paths or enabled features to escalate...
Full CISO analysis pending enrichment.
How severe is it?
What is the attack surface?
What should I do?
No patch available
Monitor for updates. Consider compensating controls or temporary mitigations.
Which compliance frameworks are affected?
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is CVE-2026-62194?
OpenClaw versions 2026.5.20 before 2026.6.9 contain a privilege escalation vulnerability in plugin install commands that allows lower-trust callers to execute or persist actions beyond their intended authorization. Attackers can exploit misconfigured input paths or enabled features to escalate privileges and perform unauthorized actions when the feature is reachable.
Is CVE-2026-62194 actively exploited?
No confirmed active exploitation of CVE-2026-62194 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-62194?
No patch is currently available. Monitor vendor advisories for updates.
What is the CVSS score for CVE-2026-62194?
CVE-2026-62194 has a CVSS v3.1 base score of 8.8 (HIGH).
What are the technical details?
Original Advisory
OpenClaw versions 2026.5.20 before 2026.6.9 contain a privilege escalation vulnerability in plugin install commands that allows lower-trust callers to execute or persist actions beyond their intended authorization. Attackers can exploit misconfigured input paths or enabled features to escalate privileges and perform unauthorized actions when the feature is reachable.
Weaknesses (CWE)
CWE-732 Incorrect Permission Assignment for Critical Resource
Primary
CWE-862 Missing Authorization
Primary
CWE-732 Incorrect Permission Assignment for Critical Resource CWE-862 Missing Authorization CWE-732 — Incorrect Permission Assignment for Critical Resource: The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
- [Implementation] When using a critical resource such as a configuration file, check to see if the resource has insecure permissions (such as being modifiable by any regular user) [REF-62], and generate an error or even exit the software if there is a possibility that the resource could have been modified by an unauthorized party.
- [Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully defining distinct user groups, privileges, and/or roles. Map these against data, functionality, and the related resources. Then set the permissions accordingly. This will allow you to maintain more fine-grained control over your resources. [REF-207]
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H