18 matches found
CVE-2026-32905
OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup codes to enroll...
CVE-2026-32905
OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup codes to enroll...
CVE-2026-32905 OpenClaw < 2026.5.4 - Unauthorized Device-Pairing Bootstrap Code Issuance via Chat Command
OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup codes to enroll...
EUVD-2026-33332
OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup codes to enroll...
CVE-2026-32905 OpenClaw < 2026.5.4 - Unauthorized Device-Pairing Bootstrap Code Issuance via Chat Command
OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup codes to enroll...
CVE-2026-32905
OpenClaw versions before 2026.5.4 contain an authorization bypass in the bundled device-pair plugin that lets non-owner users with chat command access issue device‑pairing bootstrap codes without proper scope validation. Attackers can enroll devices with operator/node capabilities by creating set...
CVE-2026-41386
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during first-use device pairing to escalate privileges beyond their intended role and scope...
EUVD-2026-26095
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during first-use device pairing to escalate privileges beyond their intended role and scope...
CVE-2026-41386
OpenClaw is affected by a privilege-escalation vulnerability in bootstrap pairing where unbound bootstrap setup codes can be misassociated with device roles/scopes. Affected software: openclaw (npm). Vulnerable versions are
CVE-2026-41386 OpenClaw < 2026.3.22 - Privilege Escalation via Unbound Bootstrap Setup Codes
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during first-use device pairing to escalate privileges beyond their intended role and scope...
Improper Privilege Management
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Privilege Management via the pairing process. An attacker can gain elevated privileges by exploiting unbound bootstrap setup codes during device pairing. Remediation Upgrade...
OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing
Summary Bootstrap setup codes were not bound to the intended device role and scopes, allowing first-use privilege escalation during pairing. Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Real first-use bootstrap privilege-escalation bug fixed and shipped in...
GHSA-GG9V-MGCP-V6M7 OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing
Summary Bootstrap setup codes were not bound to the intended device role and scopes, allowing first-use privilege escalation during pairing. Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Real first-use bootstrap privilege-escalation bug fixed and shipped in...
PT-2026-35771
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22 Description An issue exists where bootstrap setup codes are not bound to intended device roles and scopes during pairing. This allows attackers to escalate privileges beyond their intended role and scope...
CVE-2026-32987 OpenClaw < 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing
OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admi...
CVE-2026-32987
OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admi...
PT-2026-28462
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.13 Description The software contains a flaw where bootstrap setup codes can be replayed during device pairing verification within the src/infra/device-bootstrap.ts component. An attacker can repeatedly verify ...
GHSA-63F5-HHC7-CX6P OpenClaw bootstrap setup codes could be replayed to escalate pending pairing scopes before approval
Summary openclaw versions = 2026.3.12 allowed bootstrap setup codes to be replayed before approval, which could widen the scopes on a pending device pairing request. Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.3.12 - Fixed version: 2026.3.13 Details The...