CVE-2026-33579

Name of the Vulnerable Software and Affected Versions: OpenClaw versions prior to 2026.3.28

Description: A privilege escalation vulnerability exists in the /pair approve command path due to missing scope validation. A user with pairing privileges, but without admin privileges, can approve pending device requests for broader scopes, including admin access. This is due to the failure to forward caller scopes into the core approval check in extensions/device-pair/index.ts and src/infra/device-pairing.ts. Reports indicate that approximately 63% of internet-exposed OpenClaw instances were vulnerable due to a lack of authentication. The vulnerability allows an attacker to gain full administrative control over an instance.

Recommendations: Upgrade to version 2026.3.28 or later.