Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw: Shared Gateway Credentials Exposed in Setup Codes
GHSA-7h7g-x2px-94hj
Summary
OpenClaw users are at risk if someone gets their setup code, as it contains a long-lived password. This could let attackers use the password outside of the initial setup process. Update OpenClaw to the latest version (2026.3.12 or later) and change any passwords that might have been exposed.
What to do
- Update openclaw to version 2026.3.12.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.11 | 2026.3.12 |
Original title
OpenClaw: Pairing setup codes exposed long-lived shared gateway credentials instead of short-lived bootstrap tokens
Original description
### Summary
OpenClaw pairing setup codes generated by `/pair` and `openclaw qr` embedded the configured shared gateway token or password directly in the setup payload. Anyone who obtained that code from chat history, logs, screenshots, or copied QR payloads could recover the long-lived shared credential.
### Impact
An attacker with access to a leaked setup code could reuse the shared gateway credential outside the intended one-time pairing flow.
### Affected versions
`openclaw` `<= 2026.3.11`
### Patch
Fixed in `openclaw` `2026.3.12`. Setup codes now carry short-lived bootstrap tokens that are only valid for the initial device bootstrap exchange. Update to `2026.3.12` or later and rotate any previously exposed shared gateway credentials if setup codes may have leaked.
OpenClaw pairing setup codes generated by `/pair` and `openclaw qr` embedded the configured shared gateway token or password directly in the setup payload. Anyone who obtained that code from chat history, logs, screenshots, or copied QR payloads could recover the long-lived shared credential.
### Impact
An attacker with access to a leaked setup code could reuse the shared gateway credential outside the intended one-time pairing flow.
### Affected versions
`openclaw` `<= 2026.3.11`
### Patch
Fixed in `openclaw` `2026.3.12`. Setup codes now carry short-lived bootstrap tokens that are only valid for the initial device bootstrap exchange. Update to `2026.3.12` or later and rotate any previously exposed shared gateway credentials if setup codes may have leaked.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-532
Insertion of Sensitive Information into Log File
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026