The vulnerability is an authentication bypass in the raw card send interface of OpenClaw versions prior to 2026.3.25. Attackers can send specially crafted raw card commands that bypass the device‑manager pairing checks and trigger legacy callback payloads for unpaired recipients. This bypass can grant an attacker unauthorized execution of callbacks, potentially exposing sensitive data or enabling further compromise of the host system. The weakness is identified as CWE‑288, reflecting the failure to properly authenticate requests before execution.

OpenClaw devices running firmware less than 2026.3.25 are affected. All deployments of the OpenClaw product line that use the raw card send surface without the updated pairing enforcement are vulnerable. This includes any installations of the OpenClaw node.js-based platform that have not applied the 2026.3.25 update. The CPE string cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:* matches these affected releases.

The CVSS score of 6.9 indicates a moderate to high severity, and while EPSS data is not available, the lack of a KEV listing suggests no widespread exploitation has been observed yet. The likely attack vector is remote, via transmission of raw card commands over the network interface that OpenClaw exposes. An attacker would need to know the correct card command format and have network access to the target device. Once the bypass is achieved, the attacker can invoke callback routines without authorization, leading to potential information disclosure or unauthorized system actions. This makes the vulnerability significant for organizations that rely on strict DM pairing controls.