CVE-2026-32905
Authorization Bypass in OpenClaw Device-Pair Plugin
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32905 is an authorization bypass vulnerability in OpenClaw versions before 2026.5.4, specifically in the bundled device-pair plugin.
This flaw allows authorized chat users who are not owners to issue device-pairing bootstrap codes without proper permission checks. Attackers with access to chat commands via platforms like Telegram, Discord, or Slack can exploit this to generate setup codes.
Using these setup codes, attackers can enroll devices with operator or node capabilities, gaining persistent credentials that remain valid until manually removed.
The root cause is an incorrect authorization check (CWE-863), and the vulnerability has a high severity score (CVSS v3.1 base score 8.3, CVSS v4.0 base score 8.7).
How can this vulnerability impact me? :
This vulnerability can allow attackers with chat command access to enroll unauthorized devices with elevated operator or node capabilities.
Such unauthorized devices gain persistent credentials, potentially compromising the confidentiality and integrity of the system.
Attackers could maintain long-term access until the unauthorized devices are manually removed, increasing the risk of data breaches or unauthorized operations.
The availability impact is considered low, but the overall risk is high due to the elevated privileges granted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reviewing chat command access logs for unauthorized issuance of device-pairing bootstrap codes. Since the issue involves attackers with chat command access creating setup codes, monitoring commands sent via configured chat channels (such as Telegram, Discord, or Slack agents) where the device-pair plugin is enabled is essential.
Specifically, detection involves checking for any device-pairing bootstrap codes issued by non-owner or unauthorized users. Reviewing paired devices for unexpected operator or node enrollments can also indicate exploitation.
No explicit commands are provided in the available resources, but suggested approaches include:
- Audit chat command logs for issuance of device-pairing bootstrap codes by non-owner users.
- List currently paired devices and verify their enrollment source and capabilities.
- Restrict or monitor chat command permissions to limit who can issue device-pairing commands.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading OpenClaw to version 2026.5.4 or later, where the vulnerability is patched.
Additionally, users should review all currently paired devices and manually remove any unauthorized devices that may have been enrolled via this vulnerability.
It is also recommended to restrict or tightly control chat command access in shared chat channels to prevent unauthorized users from issuing device-pairing bootstrap codes.