OpenClaw versions before 2026.3.13 are vulnerable to a critical bootstrap code replay flaw that allows attackers to escalate privileges to administrative levels during device pairing.

The flaw exists in src/infra/device-bootstrap.ts, where bootstrap setup codes can be replayed during the verification phase. An attacker can exploit this by submitting a valid code multiple times before final approval, effectively escalating pending pairing scopes to operator.admin status.

This vulnerability allows an attacker to bypass the intended security controls of the device pairing process, gaining unauthorized administrative access to the platform. With a CVSS score of 9.8, the risk is critical as it facilitates unauthorized control over the device management infrastructure and potential data exposure.

Immediate Action: Update OpenClaw to version 2026.3.13 or later to ensure bootstrap codes are invalidated immediately after their first use or during the verification process.

Proactive Monitoring: Monitor device pairing logs for multiple verification attempts using the same bootstrap code and investigate any unauthorized elevations to operator.admin status.

Compensating Controls: Implement time-limited bootstrap codes and require multi-factor authentication for administrative device pairing approvals.

Public Exploit Available: false

Replay attacks against authentication and pairing mechanisms are high-impact vulnerabilities. Immediate patching to version 2026.3.13 is required to prevent unauthorized administrative access and maintain the integrity of the device bootstrap process.