CVE-2026-32987

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.13

Description The software contains a flaw where bootstrap setup codes can be replayed during device pairing verification within the src/infra/device-bootstrap.ts component. An attacker can repeatedly verify a valid bootstrap code before approval, potentially escalating pending pairing scopes to operator.admin privileges.

Recommendations Update to version 2026.3.13 or later.