The vulnerability in OpenClaw involves a state mutation during node pairing reconnection that allows a paired node to modify or confuse approval scope decisions. A malicious actor could exploit the reconnection logic to present a broader set of node authorities than intended, effectively bypassing approval restrictions. This can lead to unauthorized actions performed by the node that were not originally authorized.

OpenClaw, the open‑source node pairing system, is affected in all releases prior to version 2026.5.27. Systems running these older versions on typical Node.js environments are at risk if they allow peer nodes to reconnect without stringent verification.

The CVSS score of 6.0 indicates medium severity, and no EPSS data or KEV listing is available, suggesting the probability of exploitation is uncertain but not negligible. The likely attack vector, inferred from the description, is a malicious or compromised peer node that initiates reconnection to gain expanded authority. Attackers would need the ability to inject reconnection traffic or modify pairings, which is feasible in an environment where node-to-node communication is not adequately authenticated. Based on the description, it is inferred that the attacker must have control over a connected peer node and must be able to perform reconnection steps. While the CVSS baseline reflects a moderate risk, organizations that rely on strict approval scopes for critical operations should consider the potential impact of an unauthorized node assuming elevated permissions.