Description
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during first-use device pairing to escalate privileges beyond their intended role and scope.
Published: 2026-04-28
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: Privilege Escalation during initial device pairing
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.3.22 allow attackers to gain unauthorized privileges by exploiting unbound bootstrap setup codes. The vulnerability arises because the bootstrap codes used in the first‑use pairing process are not correctly associated with the intended device roles and scopes. As a result, an attacker can perform initial pairing and then obtain higher privileges or broader scopes than the role originally intended, enabling further compromise of the device or connected services.

Affected Systems

All installations of OpenClaw whose version is older than 2026.3.22 are affected. The vulnerability applies to the OpenClaw product as delivered through its Node.js implementation.

Risk and Exploitability

The CVSS score of 9.1 indicates that this flaw presents a high risk for confidentiality and integrity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed. The likely attack vector is during the first‑use device pairing process; an adversary positioned to influence the pairing event can exploit the unbound bootstrap codes to increase their privileges.

Generated by OpenCVE AI on April 28, 2026 at 23:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.22 or newer, which implements proper binding of bootstrap codes to device roles and scopes.
  • Restrict the initial pairing process to trusted devices and environments, ensuring that only authorized personnel can initiate first‑use pairing.
  • Apply any additional security hardening measures recommended by OpenClaw, such as enabling network segmentation and monitoring for anomalous pairing attempts.

Generated by OpenCVE AI on April 28, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during first-use device pairing to escalate privileges beyond their intended role and scope.
Title OpenClaw < 2026.3.22 - Privilege Escalation via Unbound Bootstrap Setup Codes
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-648
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-29T12:49:41.640Z

Reserved: 2026-04-20T14:12:09.519Z

Link: CVE-2026-41386

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:41.770

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41386

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:30:15Z

Weaknesses