Description
OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend privileges onto paired nodes beyond their authorization level.
Published: 2026-03-31
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.3.28 allow users with only low‑privilege authority to approve nodes for which they lack the necessary scope. The flaw stems from missing validation of the callerScopes field in node-pairing.ts, enabling an operator to grant broader permissions to paired nodes than the operator is authorized to use. This weakness, classified as CWE‑863, effectively permits a user to elevate privileges within the system by manipulating node scopes.

Affected Systems

The affected product is OpenClaw OpenClaw. Any installation using a build dated before the 2026.3.28 release is vulnerable; no narrower version list is provided in the advisory.

Risk and Exploitability

The vulnerability scores a high CVSS score of 8.6. EPSS data is not supplied and the issue is not listed in CISA’s KEV catalog, indicating no publicly known exploitation. The likely attack vector requires the attacker to have legitimate access to the application’s node pairing interface, a low‑privilege operator role, and the ability to submit approval requests. Once the flaw is used, the attacker can grant themselves or others permissions beyond their authorization level, potentially compromising confidentiality, integrity, or availability of the affected nodes.

Generated by OpenCVE AI on March 31, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.28 or later, which includes the validation fix for node pairing approvals.

Generated by OpenCVE AI on March 31, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2x4x-cc5g-qmmg OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes
History

Tue, 31 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend privileges onto paired nodes beyond their authorization level.
Title OpenClaw < 2026.3.28 - Insufficient Scope Validation in node.pair.approve
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T03:55:40.371Z

Reserved: 2026-03-23T11:00:48.408Z

Link: CVE-2026-33577

cve-icon Vulnrichment

Updated: 2026-03-31T14:28:53.272Z

cve-icon NVD

Status : Received

Published: 2026-03-31T15:16:14.530

Modified: 2026-03-31T18:16:54.130

Link: CVE-2026-33577

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:28Z

Weaknesses