Description
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts.
Published: 2026-03-31
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

A caller with pairing privileges but not administrative rights can approve pending device pairing requests that request broader scopes, including admin access. The vulnerability is due to missing forwarding of caller scopes into the core approval check—a flaw characterized by CWE‑863, which describes improper validation of authorization permissions. An attacker can thus upgrade the permissions of a device or user without possessing full admin rights, leading to unauthorized elevation of authority.

Affected Systems

The OpenClaw application built for a Node.js runtime is affected. All releases prior to version 2026.3.28 are vulnerable; this includes the package identified by the provided CPE name. No other products or vendors are listed as impacted.

Risk and Exploitability

The flaw carries a CVSS score of 9.4 and a very low exploitation probability, with an EPSS score below 1 %. It does not appear in the CISA KEV catalog. Based on the description, the likely attack vector is remote: an authenticated request to the /pair approve API path by a user who has pairing privileges but lacks admin rights can trigger the escalation.

Generated by OpenCVE AI on April 7, 2026 at 02:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.28 or newer to apply the official fix
  • If an upgrade cannot be performed immediately, disable or restrict the device pairing approval feature for non‑admin users
  • Block device pairing requests that request admin or higher scopes until a patch is applied

Generated by OpenCVE AI on April 7, 2026 at 02:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hc5h-pmr3-3497 OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation
History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

 cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Thu, 02 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Tue, 31 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts.
Title OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T22:59:00.737Z

Reserved: 2026-03-23T11:00:48.409Z

Link: CVE-2026-33579

cve-icon Vulnrichment

Updated: 2026-03-31T16:12:54.323Z

cve-icon NVD

Status : Modified

Published: 2026-03-31T15:16:14.960

Modified: 2026-04-06T23:16:26.987

Link: CVE-2026-33579

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:06Z

Weaknesses