OpenClaw contains a critical privilege escalation flaw that allows unauthorized users to manipulate device roles during the pairing process.

Bootstrap setup codes are not properly bound to specific device roles or scopes, allowing an unauthenticated attacker to escalate privileges during initial pairing.

The CVSS score of 9.1 underscores the critical nature of this flaw, which allows an attacker to bypass intended access controls. This could lead to unauthorized administrative control over devices, potentially exposing sensitive operational data or allowing for broader network compromise.

Immediate Action: Update OpenClaw to version 2026.3.22 or later immediately to enforce proper scope and role binding during pairing.

Proactive Monitoring: Review system logs for pairing events and privilege changes that occur during the onboarding of new devices.

Compensating Controls: Implement strict physical and network access controls during the device pairing window to minimize the exposure to unauthorized individuals.

Public Exploit Available: False

Updating to the latest version is mandatory to correct the logic error in the pairing process. Administrators should ensure that all new device onboarding follows the updated, secure pairing procedures defined in the latest documentation.