CVE-2026-62218
OpenClaw · OpenClaw
A missing authorization flaw in OpenClaw allows authenticated users to bypass security controls during the device pairing approval process.
Executive summary
A missing authorization vulnerability in OpenClaw permits authenticated users to perform unauthorized device pairing actions, creating a significant security bypass risk.
Vulnerability
This vulnerability is categorized as CWE-862, which involves missing authorization. The application fails to perform required capability checks for authenticated users when invoking the device pairing approval function, enabling unauthorized access.
Business impact
This flaw poses a high risk to business operations by allowing unauthorized devices to be paired with the system, potentially facilitating man-in-the-middle attacks or data exfiltration. With a CVSS score of 8.8, the vulnerability threatens the confidentiality and integrity of the environment by bypassing critical security boundaries that should restrict administrative or pairing actions to authorized personnel only.
Remediation
Immediate Action: Update OpenClaw to version 2026.5.27 or later to ensure that proper authorization checks are enforced for device pairing.
Proactive Monitoring: Audit device pairing logs for anomalous activity or unrecognized devices being added to the infrastructure.
Compensating Controls: Use network-level segmentation or monitoring to detect and block unauthorized device attempts if immediate patching is not feasible.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the potential for unauthorized device integration, organizations must treat this vulnerability with high urgency. Applying the vendor-provided update is the most effective way to restore authorization controls and prevent unauthorized system access.