OpenClaw pairing setup codes generated by /pair and openclaw qr embedded the configured shared gateway token or password directly in the setup payload. Anyone who obtained that code from chat history, logs, screenshots, or copied QR payloads could recover the long-lived shared credential.

An attacker with access to a leaked setup code could reuse the shared gateway credential outside the intended one-time pairing flow.

openclaw <= 2026.3.11

Fixed in openclaw 2026.3.12. Setup codes now carry short-lived bootstrap tokens that are only valid for the initial device bootstrap exchange. Update to 2026.3.12 or later and rotate any previously exposed shared gateway credentials if setup codes may have leaked.