Executive Summary

CVE-2026-33579 is a critical privilege escalation vulnerability in OpenClaw versions before 2026.3.28. The flaw exists in the `/pair approve` command path, where the system fails to forward the caller's scopes into the core approval check.

This means that a user who has pairing privileges but does not have administrative privileges can exploit this flaw to approve pending device pairing requests that ask for broader scopes, including admin-level access. Essentially, the missing scope validation allows unauthorized privilege escalation.

The affected code components are `extensions/device-pair/index.ts` and `src/infra/device-pairing.ts`. The vulnerability was fixed in version 2026.3.28 by ensuring that caller scopes are correctly forwarded during the approval process.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with only pairing privileges to escalate their privileges to administrative level by approving device pairing requests that request elevated scopes.

The impact includes unauthorized administrative access, which can compromise the confidentiality, integrity, and availability of the system.

• Unauthorized privilege escalation
• Potential full administrative control over the affected system
• Compromise of sensitive data and system integrity

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves improper scope validation in the `/pair approve` command path of OpenClaw versions prior to 2026.3.28, allowing privilege escalation by approving device pairing requests with elevated scopes.

To detect exploitation attempts on your system or network, you should monitor usage of the `/pair approve` command, especially approvals made by users with pairing privileges but without admin rights that result in granting broader scopes including admin access.

Suggested detection steps include:

• Audit logs or command histories for `/pair approve` commands executed by non-admin users.
• Check for device pairing approvals that unexpectedly grant admin-level scopes.
• Use system or application-specific logging tools to filter and alert on scope escalations during device pairing.

Specific commands depend on your environment and logging setup, but examples might include:

• Using grep or similar tools to search logs: `grep '/pair approve' /var/log/openclaw.log`
• Querying audit logs for scope changes or approvals by non-admin users.
• Implementing custom scripts to parse logs for pairing approvals granting admin scopes.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.3.28 or later, where the vulnerability has been fixed by ensuring proper forwarding and validation of caller scopes during the device pairing approval process.

Until the upgrade can be applied, consider the following temporary measures:

• Restrict pairing privileges to trusted users only, minimizing the risk of unauthorized privilege escalation.
• Monitor and audit device pairing approvals closely to detect suspicious approvals granting elevated scopes.
• Disable or limit the use of the `/pair approve` command if possible, or implement additional manual approval processes.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability CVE-2026-33579 allows a user with limited pairing privileges to escalate their access to administrative levels by exploiting missing scope validation during device pairing approval. This unauthorized privilege escalation can lead to unauthorized access to sensitive data and administrative functions.

Such unauthorized access and privilege escalation can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. Failure to enforce proper authorization checks may result in data breaches or unauthorized data processing, thereby violating these regulations.

Useful 0 Not Useful 0