Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
4.9

OpenClaw Node Pairing Approval Vulnerability

CVE-2026-33577 GHSA-2x4x-cc5g-qmmg
Summary

Low-privilege operators can approve nodes with more access than they should have, giving attackers extra permissions. This can lead to unauthorized actions on the system. Update OpenClaw to version 2026.3.28 or later to fix the issue.

What to do
  • Update openclaw to version 2026.3.28.
Affected software
VendorProductAffected versionsFix available
– openclaw <= 2026.3.24 2026.3.28
Original title
OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes
Original description
## Summary

The node pairing approval path did not consistently enforce that the approving caller already held every scope requested by the node.

## Impact

A lower-privileged operator could approve a pending node request for broader scopes and extend privileges onto the paired node.

## Affected Component

`src/infra/node-pairing.ts, src/gateway/server-methods/nodes.ts`

## Fixed Versions

- Affected: `<= 2026.3.24`
- Patched: `>= 2026.3.28`
- Latest stable `2026.3.28` contains the fix.

## Fix

Fixed by commit `4d7cc6bb4f` (`gateway: restrict node pairing approvals`).
nvd CVSS3.1 9.8
nvd CVSS4.0 8.6
Vulnerability type
CWE-863 Incorrect Authorization
Published: 1 Apr 2026 · Updated: 1 Apr 2026 · First seen: 31 Mar 2026