OpenClaw: Unbound Setup Codes Allow Unauthorized Access

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.6

OpenClaw: Unbound Setup Codes Allow Unauthorized Access

GHSA-gg9v-mgcp-v6m7

Summary

A security issue in OpenClaw allows hackers to gain more access than they should during the initial setup process. This can happen when pairing devices. To fix this, update OpenClaw to version 2026.3.22 or later. If you're using an older version, update as soon as possible to avoid potential security risks.

What to do

Update openclaw to version 2026.3.22.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.22	2026.3.22

Original title

OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing

Original description

## Summary
Bootstrap setup codes were not bound to the intended device role and scopes, allowing first-use privilege escalation during pairing.

## Current Maintainer Triage
- Status: open
- Normalized severity: high
- Assessment: Real first-use bootstrap privilege-escalation bug fixed and shipped in v2026.3.22+, so keep open for publication with current severity.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.13-1`
- Patched versions: `>= 2026.3.22`
- First stable tag containing the fix: `v2026.3.22`

## Fix Commit(s)
- `a600c72ed7d0045a27f58bf031d2b36ecb0141c9` — 2026-03-22T23:57:15-07:00

OpenClaw thanks @tdjackey for reporting.

osv CVSS4.0 8.6

Vulnerability type

CWE-269 Improper Privilege Management

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026