An authorization bypass vulnerability in OpenClaw allows attackers with a paired device to regain unauthorized node-level access, posing a high risk to system integrity.

This vulnerability involves a flaw in pairing-scoped session management where a device can re-establish node token authority following revocation. The attack requires an attacker to possess a previously paired device, effectively bypassing the requirement for renewed administrative approval.

The vulnerability carries a CVSS score of 8.8, reflecting its high severity. Successful exploitation permits an attacker to maintain persistent, unauthorized WebSocket access to critical nodes, potentially leading to unauthorized data access, command execution, or the subversion of secure communications within the environment.

Immediate Action: Upgrade all OpenClaw installations to version 2026.5.26 or later to enforce proper token revocation logic.

Proactive Monitoring: Monitor WebSocket traffic patterns for unusual connection persistence or unauthorized node-level interactions that deviate from established baselines.

Compensating Controls: Implement strict network-level access controls to restrict which devices can establish WebSocket connections to the node controller.

Public Exploit Available: false

Given the high CVSS score, this vulnerability represents a significant threat to internal service integrity. Organizations should prioritize patching to version 2026.5.26 immediately to remediate the authorization flaw and prevent unauthorized node access.