HIGH 8.3

CVE-2026-32905: OpenClaw Device-Pair Authorization Bypass (CVSS 8.3)

OpenClaw versions before 2026.5.4 contain a flaw that lets users with basic chat access create device enrollment codes they shouldn't be able to generate. An attacker with legitimate chat permissions can issue bootstrap codes that add new devices with full operator and node-level capabilities to the system. Once enrolled, these devices retain administrative credentials indefinitely until an administrator manually removes them, creating a persistent backdoor.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Weaknesses (CWE)
CWE-862
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup codes to enroll devices with operator/node capabilities, granting persistent credentials until manual removal.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-32905 is an authorization bypass in OpenClaw's bundled device-pair plugin stemming from improper scope validation on bootstrap code generation. The vulnerability exists in the endpoint or function responsible for issuing device-pairing setup codes. The flaw permits non-owner authenticated principals with chat sender privileges to invoke device enrollment operations without verifying whether the requestor holds the required authorization scope. An attacker leveraging this defect can generate bootstrap codes that, when applied by a victim or via direct deployment, enroll new devices with operator and node role capabilities. These credentials persist in the system's device roster until explicitly revoked, enabling sustained unauthorized access.

Business impact

This vulnerability establishes a mechanism for privilege escalation and persistent lateral movement within OpenClaw deployments. A threat actor with initial access limited to chat functionality can bootstrap high-privilege device identities, effectively obtaining operator-level control. The persistent nature of enrolled credentials means detection and response windows are compressed—the attacker maintains access even after initial compromises are patched. Organizations using OpenClaw for sensitive orchestration, automation, or multi-tenant environments face elevated risk of unauthorized automation execution, data exfiltration, and lateral spread across integrated systems.

Affected systems

OpenClaw deployments running versions prior to 2026.5.4 are affected. Organizations should verify their OpenClaw version against release notes and test environments. The vulnerability is present in the bundled device-pair plugin component, meaning all standard OpenClaw installations that include this plugin (the typical default configuration) are vulnerable if running an unpatched version.

Exploitability

Exploitability is rated as high. The attack requires only network access and a valid low-privilege account with chat command permissions—both common in shared or delegated chat environments. No special tooling is required; an attacker can invoke standard API or UI mechanisms to generate bootstrap codes. The lack of multi-factor validation or secondary approval workflows makes exploitation straightforward. However, the attacker must first obtain legitimate chat-level credentials, which raises the initial barrier slightly. Once inside, execution is trivial and nearly undetectable without logging and monitoring of device enrollment events.

Remediation

Upgrade OpenClaw to version 2026.5.4 or later as soon as possible. Before patching, restrict chat command access to trusted principals only, review existing device enrollment records for anomalies, and audit device credentials for any unexpected operator/node roles added after the vulnerability disclosure date. After patching, revoke and re-enroll any devices that may have been compromised during the vulnerable window.

Patch guidance

Apply OpenClaw 2026.5.4 or a later release from the vendor. Verify patch availability through your OpenClaw release channel or vendor advisory. Test the patch in a non-production environment to confirm compatibility with your existing device roster and automation workflows before broad deployment. The patch addresses the authorization bypass by adding proper scope validation to the bootstrap code generation function.

Detection guidance

Monitor OpenClaw logs and audit trails for device-pair plugin activities, specifically bootstrap code generation requests originating from non-owner accounts with only chat permissions. Flag any enrollment of new operator or node-capable devices by users who lack device management roles. Review device enrollment timestamps around the CVE publication date (2026-05-29 onwards) and cross-reference against legitimate provisioning windows. Enable verbose logging for device enrollment operations if available, and alert on repeated failed authorization checks preceding successful code generation.

Why prioritize this

This vulnerability merits urgent attention due to its high CVSS score (8.3), ease of exploitation by insiders or low-privilege attackers, and persistence of compromise. The ability to create long-lived operator credentials with minimal prerequisites transforms a chat-level breach into full platform control. Organizations relying on OpenClaw for production automation or multi-tenant services should prioritize patching within their standard emergency patch window.

Risk score, explained

The CVSS 3.1 score of 8.3 (HIGH) reflects the combination of network-accessible entry point, low attack complexity, low privilege requirement, and high impact on confidentiality and integrity. The presence of an authorization flaw (CWE-862) without compensating controls, coupled with the persistent nature of enrolled credentials, justifies this rating. The score does not include ransomware or KEV status, as the vulnerability is not currently on CISA's Known Exploited Vulnerabilities catalog.

Frequently asked questions

Can this vulnerability be exploited without any prior access to OpenClaw?

No. The attacker must hold a legitimate OpenClaw account with chat sender permissions. However, such accounts are often easier to obtain than admin-level access, particularly in organizations with delegated chat bots or multi-user environments. Once inside, the rest of the attack chain requires no further authentication.

If I patch OpenClaw, do I need to revoke existing devices?

Yes, organizations should audit their device roster after patching and manually revoke any devices enrolled during the vulnerable period that lack corresponding provisioning records. This eliminates any backdoors an attacker may have installed. New devices enrolled post-patch will be protected by the authorization fix.

Does this vulnerability affect OpenClaw if the device-pair plugin is disabled?

The vulnerability is specific to the device-pair plugin. If your deployment does not use or has disabled this plugin, you are not exposed to this particular flaw. However, verify that the plugin is actually disabled in your configuration and not simply inactive by default.

What is the difference between bootstrap codes and normal device enrollment?

Bootstrap codes are one-time setup credentials used to add a new device to the system with initial capabilities. Normal enrollment typically requires higher authorization or manual approval. This vulnerability allows low-privilege users to generate bootstrap codes as if they were administrators, bypassing the intended enrollment approval process.

This analysis is based on the official CVE record and vendor advisories current as of the publication date. Organizations should verify all patch versions, compatibility notes, and deployment procedures against official OpenClaw release documentation and vendor guidance. SEC.co makes no warranty regarding the completeness or real-time accuracy of this analysis. Patch testing in non-production environments before broad deployment is strongly recommended. This vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities catalog, but the absence of public exploitation does not eliminate risk in targeted or insider threat scenarios. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).