Description
OpenClaw before 2026.4.25 contains a scope containment bypass vulnerability in device re-pairing that allows authenticated operators to restore broader scopes than intended by submitting empty-scope re-pairing requests. Attackers can exploit this by sending re-pairing requests with empty scope sets to skip containment guards and retain unauthorized device access.
Published: 2026-06-16
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw versions prior to 2026.4.25 contain a scope containment bypass in the device re‑pairing process. The flaw allows an authenticated operator to submit re‑pairing requests with empty scope sets, which the application accepts and uses to grant broader access than originally intended. The result is an authorization bypass that can lead to unauthorized device access or privilege elevation within the system.

Affected Systems

The affected product is OpenClaw OpenClaw. Versions before 2026.4.25 are vulnerable. No specific version numbers beyond that are listed.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity. The EPSS score of less than 1% suggests that the exploitation probability is very low. The vulnerability is not listed in the CISA KEV catalog, further indicating limited current exploitation. Because the flaw requires the attacker to be an authenticated operator, the attack vector is limited to internal users or compromised accounts. Exploitation would involve sending a re‑pairing request containing an empty scope set to bypass containment checks and gain broader device access.

Generated by OpenCVE AI on June 17, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw version 2026.4.25 or later to apply the vendor's fix.
  • If an upgrade is not feasible, restrict the device re‑pairing functionality so that empty scope sets are rejected or rejected for non‑privileged users.
  • Implement additional authorization checks on re‑pairing requests to ensure that the requested scope does not exceed the caller’s current permissions.

Generated by OpenCVE AI on June 17, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8mg9-j9cf-54cj OpenClaw: Empty-scope device re-pairing could confuse caller scope containment
History

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.25 contains a scope containment bypass vulnerability in device re-pairing that allows authenticated operators to restore broader scopes than intended by submitting empty-scope re-pairing requests. Attackers can exploit this by sending re-pairing requests with empty scope sets to skip containment guards and retain unauthorized device access.
Title OpenClaw < 2026.4.25 - Scope Bypass via Empty-Scope Device Re-pairing
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-636
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-16T18:59:09.242Z

Reserved: 2026-06-10T21:21:12.125Z

Link: CVE-2026-53852

cve-icon Vulnrichment

Updated: 2026-06-16T18:58:54.234Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T19:17:02.510

Modified: 2026-06-16T20:42:46.200

Link: CVE-2026-53852

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T21:30:12Z

Weaknesses
  • CWE-636

    Not Failing Securely ('Failing Open')