PT-2026-28462 · Openclaw · Openclaw
Tdjackey
·
Published
2026-03-29
·
Updated
2026-03-30
·
CVE-2026-32987
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.3.13
Description
The software contains a flaw where bootstrap setup codes can be replayed during device pairing verification within the
src/infra/device-bootstrap.ts component. An attacker can repeatedly verify a valid bootstrap code before approval, potentially escalating pending pairing scopes to operator.admin privileges.Recommendations
Update to version 2026.3.13 or later.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw