Description
OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers with paired-device access can approve or operate on unrelated pending device requests within the same gateway scope.
Published: 2026-04-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Limited‑Privilege Unauthorized Access to Paired‑Device Pairing Actions
Action: Update Vendor Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.4.20 contain an improper authorization flaw in the paired‑device pairing management module. A user session that has limited pairing‑device scope can enumerate and act on pending pairing requests that belong to devices unrelated to the session. This allows the attacker to approve or manipulate requests for devices that were not originally within their control, violating isolation expectations and potentially enabling unauthorized device access.

Affected Systems

The affected product is OpenClaw by OpenClaw. All releases before 2026.4.20 are vulnerable, regardless of minor patch levels. The vulnerability exists in the Node.js based implementation of OpenClaw, as indicated by the CPE reference.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate security impact; the EPSS score of <1% suggests a low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attacking requires gaining paired‑device access (an authenticated session with permissions to view pairing requests). Once in scope, the attacker can enumerate device identifiers and trigger approval or decline actions on unrelated pending requests. The impact is confined to the same gateway scope, but it still permits unauthorized manipulation of device pairing flows.

Generated by OpenCVE AI on April 28, 2026 at 14:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest OpenClaw release, 2026.4.20 or later, which removes the improper authorization logic.
  • Revoke redundant paired‑device privileges and enforce least‑privilege on the set of roles that can manage pairing requests.
  • Enable and review audit logging for all pairing actions so that any unauthorized manipulation can be detected and investigated.

Generated by OpenCVE AI on April 28, 2026 at 14:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers with paired-device access can approve or operate on unrelated pending device requests within the same gateway scope.
Title OpenClaw < 2026.4.20 - Improper Authorization in Paired-Device Pairing Actions
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-23T18:19:34.717Z

Reserved: 2026-04-22T15:20:49.859Z

Link: CVE-2026-41909

cve-icon Vulnrichment

Updated: 2026-04-23T18:19:16.503Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T18:16:29.693

Modified: 2026-04-28T19:40:13.080

Link: CVE-2026-41909

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses