OpenClaw: Unpaired Device Can Access Host Privileges

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.7

OpenClaw: Unpaired Device Can Access Host Privileges

GHSA-xj9w-5r6q-x6v4

Summary

An unsecured device can access sensitive host commands, potentially allowing an attacker to take control of the host system. This vulnerability affects devices paired with OpenClaw version 2026.3.28 or earlier. To fix the issue, update to version 2026.3.31 or later.

What to do

Update openclaw to version 2026.3.31.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.28	2026.3.31

Original title

OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md

Original description

## Summary
Device-Paired Node Skips Node Scope Gate → Host RCE.md

## Current Maintainer Triage
- Status: open
- Normalized severity: high
- Assessment: Real in shipped v2026.3.28 because a merely device-paired node could expose node commands without node pairing, but high is sufficient given the pairing/setup prerequisites.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`

## Fix Commit(s)
- `3886b65ef21d02808c1a106fa1f9f69e22f71c32` — 2026-03-30T17:29:28+01:00

OpenClaw thanks @AntAISecurityLab for reporting.

ghsa CVSS4.0 7.7

Vulnerability type

CWE-863 Incorrect Authorization

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026