An insufficient locality validation flaw in OpenClaw allows attackers to spoof administrative access tokens, leading to persistent unauthorized control.

The vulnerability resides in the Control UI pairing process, where locality validation is insufficient. An attacker with network access can spoof locality information to trick the system into granting durable, administrative-level device tokens that persist beyond standard rotation periods.

With a CVSS score of 8.8, this vulnerability poses a high risk of long-term unauthorized administrative access. If exploited, an attacker could maintain persistent control over the affected infrastructure, leading to significant risk of data exfiltration and operational disruption.

Immediate Action: Update OpenClaw to version 2026.5.22 or later to strengthen pairing security and token validation.

Proactive Monitoring: Monitor for newly generated administrative tokens and investigate any anomalous device pairing events in the logs.

Compensating Controls: Use network segmentation to restrict access to the Control UI to trusted, authorized subnets, reducing the exposure to network-adjacent attackers.

Public Exploit Available: false

The ability for an attacker to gain persistent, administrative-level credentials is a critical security concern. Organizations must prioritize the update to version 2026.5.22 to ensure that token issuance is properly secured against locality-based spoofing.