PT-2026-32307 · Npm · Openclaw
Published
2026-04-03
·
Updated
2026-04-03
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Summary
Bootstrap setup codes were not bound to the intended device role and scopes, allowing first-use privilege escalation during pairing.
Current Maintainer Triage
- Status: open
- Normalized severity: high
- Assessment: Real first-use bootstrap privilege-escalation bug fixed and shipped in v2026.3.22+, so keep open for publication with current severity.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.13-1 - Patched versions:
>= 2026.3.22 - First stable tag containing the fix:
v2026.3.22
Fix Commit(s)
a600c72ed7d0045a27f58bf031d2b36ecb0141c9— 2026-03-22T23:57:15-07:00
OpenClaw thanks @tdjackey for reporting.
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw