Description
OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin.
Published: 2026-03-29
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Replay of Bootstrap Setup Codes
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.3.13 allow attackers to replay bootstrap setup codes during device pairing verification. By repeatedly submitting a valid bootstrap code before its approval, an attacker can manipulate the pending pairing scope and elevate privileges up to the operator.admin level. The weakness stems from improper authorization handling (CWE-294) and results in a severe breach of integrity and privilege boundaries.

Affected Systems

The affected product is OpenClaw software from the vendor OpenClaw. Any installation running a version older than 2026.3.13 is vulnerable. The vulnerability exists in the device-bootstrap.ts module of the Node.js runtime used by the OpenClaw application.

Risk and Exploitability

The CVSS score of 9.3 classifies this as Critical, indicating a high likelihood of successful exploitation if an attacker can trigger the device pairing flow. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog, but the lack of a known exploit does not reduce its severity. Based on the description, it is inferred that an attacker could exploit the flaw remotely by initiating a pairing session, or locally if able to control a device during its setup process.

Generated by OpenCVE AI on March 29, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the OpenClaw update to version 2026.3.13 or later to remove the replay flaw
  • Confirm that device pairing verifies bootstrap codes only once per session
  • Monitor pairing logs for repeated bootstrap code submissions and investigate any anomalies
  • If an update is unavailable, isolate vulnerable devices from untrusted networks and apply appropriate network segmentation

Generated by OpenCVE AI on March 29, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 29 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin.
Title OpenClaw < 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-294
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T14:11:58.610Z

Reserved: 2026-03-17T11:31:56.956Z

Link: CVE-2026-32987

cve-icon Vulnrichment

Updated: 2026-03-30T14:11:54.495Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-29T13:17:02.563

Modified: 2026-03-31T17:53:28.313

Link: CVE-2026-32987

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:58:14Z

Weaknesses