CVE-2026-32987 - Vulnerability Details

Description

OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin.

Published: 2026-03-29

Score: 9.3 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OpenClaw

unaffected

Version	Status	Constraints
`0`	affected	< 2026.3.13
`2026.3.13`	unaffected	—

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/openclaw/openclaw/commit/1803d16d5cec970c54b0e1ac46b31b1cbade335c
https://github.com/openclaw/openclaw/security/advisories/GHSA-63f5-hhc7-cx6p
https://www.vulncheck.com/advisories/openclaw-bootstrap-setup-code-replay-via-device-pairing

History

Sun, 29 Mar 2026 13:15:00 +0000

Type	Values Removed	Values Added
Description		OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin.
Title		OpenClaw < 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing
First Time appeared		Openclaw Openclaw openclaw
Weaknesses		CWE-294
CPEs		cpe:2.3:a:openclaw:openclaw::::::node.js::*
Vendors & Products		Openclaw Openclaw openclaw
References		https://github.com/openclaw/openclaw/commit/1803d16d5cec970c54b0e1ac46b31b1cbade335c https://github.com/openclaw/openclaw/security/advisories/GHSA-63f5-hhc7-cx6p https://www.vulncheck.com/advisories/openclaw-bootstrap-setup-code-replay-via-device-pairing
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Openclaw Openclaw

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-03-29T12:44:29.705Z

Updated: 2026-03-29T12:44:29.705Z

Reserved: 2026-03-17T11:31:56.956Z

Link: CVE-2026-32987

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-29T13:17:02.563

Modified: 2026-03-29T13:17:02.563

Link: CVE-2026-32987

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-294

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object