CVE-2026-32987

CRITICAL NVD

CVSS Score 9.8

Severity CRITICAL

Published Mar 29, 2026

Vendor unknown

Description

OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin.

References

https://github.com/openclaw/openclaw/commit/1803d16d5cec970c54b0e1ac46b31b1cbade335c
https://github.com/openclaw/openclaw/security/advisories/GHSA-63f5-hhc7-cx6p
https://www.vulncheck.com/advisories/openclaw-bootstrap-setup-code-replay-via-device-pairing