Main Vulnerability Database Vulnerabilities #VU126836

Incorrect authorization in OpenClaw - #VU126836

Published: April 22, 2026

Vulnerability identifier: #VU126836

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to access pairing state information and approve or operate on unrelated pending device pairing requests.

The vulnerability exists due to incorrect authorization in pairing management actions when handling paired-device pairing requests within the same gateway scope. A remote user can use a paired-device session with limited pairing scope to access pairing state information and approve or operate on unrelated pending device pairing requests.

The issue is limited to same-gateway paired-device sessions and is not a remote unauthenticated issue.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-xrq9-jm7v-g9h7

Incorrect authorization in OpenClaw - #VU126836

Detailed vulnerability description

Remediation

Sources

Please verify you're human