Executive Summary

CVE-2026-32987 is a critical security vulnerability in OpenClaw versions before 2026.3.13 that affects the device pairing process. Specifically, the vulnerability exists in the handling of bootstrap setup codes used during device pairing verification in the source file src/infra/device-bootstrap.ts.

The issue allows an attacker to replay bootstrap setup codes multiple times before the pairing request is approved. This replay attack enables the attacker to escalate the pending device pairing scopes, potentially increasing their privileges from a lower operator level to operator.admin without proper authorization.

The root cause is that bootstrap tokens were not single-use, allowing repeated verification and scope escalation. The vulnerability was fixed in version 2026.3.13 by making bootstrap tokens single-use, so the token is consumed upon first successful verification, preventing replay and unauthorized privilege escalation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts by allowing attackers to escalate privileges during the device pairing process without approval.

• Attackers can replay bootstrap setup codes multiple times to increase their access scopes.
• Privilege escalation can occur from a lower operator scope to operator.admin, granting high-level administrative control.
• Unauthorized control over devices can be gained, violating the trust model of OpenClaw and potentially compromising device security.
• Because no privileges or user interaction are required to exploit this vulnerability, it poses a high risk of unauthorized access.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for replay attempts of bootstrap setup codes during device pairing processes in OpenClaw versions prior to 2026.3.13.

Since the vulnerability allows multiple uses of the same bootstrap token before approval, you can look for repeated verification attempts of identical bootstrap tokens in your system logs or device pairing audit trails.

Specific commands are not provided in the resources, but general approaches include:

• Review logs related to device pairing events for repeated bootstrap token usage.
• Use network monitoring tools to capture and analyze traffic for repeated bootstrap token transmissions.
• If OpenClaw provides debugging or verbose logging modes, enable them to trace bootstrap token verification attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade OpenClaw to version 2026.3.13 or later, where the vulnerability is fixed by making bootstrap setup codes single-use.

This update ensures that bootstrap tokens are consumed upon first successful verification, preventing replay attacks and unauthorized privilege escalation.

Until the upgrade can be applied, consider restricting device pairing operations to trusted environments and monitoring for suspicious repeated bootstrap token usage.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in OpenClaw allows attackers to replay bootstrap setup codes multiple times during device pairing, leading to unauthorized privilege escalation up to operator.admin level. This improper privilege management and authentication bypass could result in unauthorized access to sensitive data or system controls.

Such unauthorized access and privilege escalation can negatively impact compliance with common security and privacy standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

By allowing attackers to escalate privileges without proper approval, the vulnerability undermines the trust model and security controls necessary to meet these regulatory requirements.

Useful 0 Not Useful 0