Main Vulnerability Database Vulnerabilities #VU132709

Improper privilege management in OpenClaw - #VU132709

Published: May 29, 2026

Vulnerability identifier: #VU132709

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-269

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to retain broader pending pairing authority than intended.

The vulnerability exists due to improper privilege management in the bootstrap token pairing feature when reusing a pending bootstrap token before approval with a broader requested scope set. A remote user can replay a pending bootstrap token with expanded requested scopes to retain broader pending pairing authority than intended.

Only instances where the affected feature is enabled and reachable are vulnerable.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-9v8j-9c9g-w66c

Improper privilege management in OpenClaw - #VU132709

Detailed vulnerability description

Remediation

Sources

Please verify you're human