Description
OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and maintaining unauthorized access longer than intended.
Published: 2026-06-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw prior to 2026.5.26 contains an authorization bypass flaw that allows an attacker who controls a device paired to the target node to re‑establish node‑level WebSocket access after the token has been revoked. The flaw permits the paired device to resurrect token authority without additional approval, effectively extending unauthorized access indefinitely. This undermines the intended revocation controls and can let a compromised device persist in performing privileged operations.

Affected Systems

Systems affected by this vulnerability are OpenClaw nodes running any version earlier than 2026.5.26. The flaw exists in the pairing‑scoped device session handling component that does not properly clear authority after revocation. Attackers only need a device that has previously been paired to the vulnerable node; no additional privileges are required beyond the existing pairing relationship.

Risk and Exploitability

The CVSS score of 8.7 indicates a high risk to the confidentiality and integrity of data accessed through the node. With an EPSS of less than 1%, the probability of exploitation is low, and the vulnerability is not currently listed in the CISA KEV catalog. Nonetheless, the attack path requires a paired device and the ability to trigger a revocation, which are plausible in many environments. Operators should assume that unpatched systems could be reused for sustained unauthorized activity once the session is re‑established.

Generated by OpenCVE AI on June 17, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw 2026.5.26 or later, where the pairing‑scoped session revocation flaw has been corrected.
  • If a patch cannot be applied immediately, revoke and then delete any existing paired‑device sessions that are no longer needed to prevent the ability to re‑establish node authority.
  • Review WebSocket node‑level access controls to ensure that a revoked token cannot grant access to a device that holds a pairing‑scoped session, and implement stricter session validation if possible.
  • Monitor systems for unauthorized pairing sessions and consider disabling pairing mechanisms altogether if they are not required for business operations.

Generated by OpenCVE AI on June 17, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and maintaining unauthorized access longer than intended.
Title OpenClaw < 2026.5.26 - Node Token Revocation Bypass via Pairing-Scoped Device Session
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-613
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-17T13:51:55.068Z

Reserved: 2026-06-10T21:19:32.652Z

Link: CVE-2026-53843

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T19:17:01.257

Modified: 2026-06-16T20:42:46.200

Link: CVE-2026-53843

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T21:30:16Z

Weaknesses
  • CWE-613

    Insufficient Session Expiration