31 matches found
EUVD-2026-36626
OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node authority than intended, potentially bypassing approval...
CVE-2026-53838
OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node authority than intended, potentially bypassing approval...
CVE-2026-53838 OpenClaw < 2026.5.27 - Node Pairing State Mutation via Reconnection
OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node authority than intended, potentially bypassing approval...
CVE-2026-53838
OpenClaw is affected by a state mutation vulnerability in node pairing reconnection prior to version 2026.5.27. The issue lets paired nodes confuse approval scope decisions by manipulating reconnection logic, potentially restoring or presenting broader node authority than intended and bypassing a...
CVE-2026-53838 OpenClaw < 2026.5.27 - Node Pairing State Mutation via Reconnection
OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node authority than intended, potentially bypassing approval...
PT-2026-49042
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.27 Description A state mutation issue exists in the node pairing reconnection process. This allows paired nodes to confuse approval scope decisions, enabling attackers to exploit reconnection logic to restore ...
CVE-2026-42426
OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairi...
CVE-2026-42432 OpenClaw < 2026.4.8 - Command Escalation via Node Pairing Reconnect Bypass
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without the operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system...
CVE-2026-42432
OpenClaw vulnerable component: the node-pairing flow in the OpenClaw npm package allows a previously paired node to reconnect and run exec-capable commands without operator.admin re-pair authentication, enabling local privilege escalation. Affected versions include
CVE-2026-42426 OpenClaw < 2026.4.8 - Improper Authorization in node.pair.approve via operator.write Scope
OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairi...
CVE-2026-42426
OpenClaw has a versioned vulnerability: before 2026.4.8, the node.pair.approve method incorrectly accepts operator.write scope instead of the narrower operator.pairing scope. This allows unprivileged users with operator.write permissions to bypass pairing restrictions and potentially gain unautho...
EUVD-2026-26128
OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairi...
CVE-2026-42426 OpenClaw < 2026.4.8 - Improper Authorization in node.pair.approve via operator.write Scope
OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairi...
PT-2026-35804
OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairi...
OpenClaw 安全漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.8 contained security vulnerabilities. These vulnerabilities stemmed from improper authorization; the node.pair.approve method accepted the operator.write scope instead of the...
GHSA-67MF-F936-PPXF OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval
Impact OpenClaw node.pair.approve placed in operator.write scope instead of operator.pairing allows unprivileged pairing approval. The pairing approval method accepted operator.write instead of the narrower pairing scope and admin requirement for exec-capable nodes. OpenClaw is a user-controlled...
OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement
Impact Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement. A previously paired node could reconnect with a broader command set, including exec-capable commands, without forcing the operator/admin re-pairing path. OpenClaw is a user-controlled local assistant. This...
GHSA-5WJ5-87VQ-39XM OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement
Impact Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement. A previously paired node could reconnect with a broader command set, including exec-capable commands, without forcing the operator/admin re-pairing path. OpenClaw is a user-controlled local assistant. This...
Incorrect Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the node pairing process. An attacker can execute arbitrary commands on the host system by exploiting insufficient enforcement of node scope restrictions. This ...
CVE-2026-33577
OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend privileges onto paired...