Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.6

OpenClaw: Unbound Bootstrapping Allows Unauthorized Access

GHSA-gg9v-mgcp-v6m7
Summary

The OpenClaw software has a security weakness that could allow an attacker to gain more access than they should during the initial setup process. This is a serious issue, as it could potentially lead to unauthorized access to sensitive information. To fix this, update to OpenClaw version 2026.3.22 or later.

What to do
  • Update openclaw to version 2026.3.22.
Affected software
VendorProductAffected versionsFix available
openclaw <= 2026.3.13-1 2026.3.22
Original title
OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing
Original description
## Summary
Bootstrap setup codes were not bound to the intended device role and scopes, allowing first-use privilege escalation during pairing.

## Current Maintainer Triage
- Status: open
- Normalized severity: high
- Assessment: Real first-use bootstrap privilege-escalation bug fixed and shipped in v2026.3.22+, so keep open for publication with current severity.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.13-1`
- Patched versions: `>= 2026.3.22`
- First stable tag containing the fix: `v2026.3.22`

## Fix Commit(s)
- `a600c72ed7d0045a27f58bf031d2b36ecb0141c9` — 2026-03-22T23:57:15-07:00

OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0 8.6
Vulnerability type
CWE-269 Improper Privilege Management
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026