Compliance Impact

The vulnerability exposes long-lived shared gateway credentials through pairing setup codes, allowing attackers to recover and reuse these credentials outside the intended one-time pairing flow.

This unauthorized access to sensitive credentials can lead to confidentiality breaches and unauthorized access to systems, which may violate data protection requirements under standards like GDPR and HIPAA.

Specifically, the exposure of credentials and potential unauthorized access could result in non-compliance with regulations that mandate protection of sensitive data and secure access controls.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-33575 affects OpenClaw versions prior to 2026.3.12 and involves the exposure of long-lived shared gateway credentials embedded directly in pairing setup codes.

These setup codes are generated by the `/pair` endpoint and the OpenClaw `qr` command. Because the credentials are long-lived and included in these codes, attackers who obtain the setup codes—via chat history, logs, or screenshots—can recover and reuse the shared gateway credentials outside the intended one-time pairing process.

This vulnerability is classified under CWE-522 (Insufficiently Protected Credentials) and has a high severity rating with a CVSS v4 score of 8.6.

Useful 0 Not Useful 0

Impact Analysis

An attacker who obtains leaked setup codes can recover and reuse the long-lived shared gateway credentials, gaining unauthorized access to the gateway.

This unauthorized access can occur outside the intended one-time pairing flow, potentially compromising the confidentiality and security of the gateway.

The vulnerability allows attackers to bypass normal privilege requirements and user interaction, leading to a high impact on confidentiality without affecting integrity or availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves long-lived shared gateway credentials embedded in pairing setup codes generated by the /pair endpoint and the OpenClaw qr command. Detection involves identifying if any such setup codes have been leaked or captured in chat history, logs, screenshots, or network traffic.

To detect this on your system or network, you can search for pairing setup codes or QR payloads that contain embedded credentials. Monitoring logs and chat histories for these codes is essential.

Suggested commands might include searching logs or network captures for the /pair endpoint usage or QR code payloads. For example, using grep or similar tools to find pairing codes in logs:

• grep -r '/pair' /var/log/
• grep -r 'setup code' /path/to/chat/logs/
• tcpdump or Wireshark filters to capture traffic to the /pair endpoint and inspect payloads for embedded credentials.

However, no specific detection commands are provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update OpenClaw to version 2026.3.12 or later, where the vulnerability has been fixed by replacing long-lived credentials in setup codes with short-lived bootstrap tokens.

Additionally, it is recommended to rotate any shared gateway credentials that may have been exposed through leaked setup codes to prevent unauthorized reuse.

• Update OpenClaw to version 2026.3.12 or later.
• Rotate shared gateway credentials to invalidate any potentially leaked credentials.
• Review and secure logs, chat histories, and screenshots to prevent further leakage of setup codes.

Useful 0 Not Useful 0