OpenClaw: auth bypass enables persistent device enrollment — HIGH (CVE-2026-32905)

CISO Take

OpenClaw, an AI agent framework, contains a missing authorization check (CWE-862) in its bundled device-pair plugin that allows any authenticated chat sender—regardless of device ownership—to generate device-pairing bootstrap codes without scope validation. With a CVSS 8.3 (High), network-accessible, low-privilege-required, no-user-interaction attack path, exploitation is trivial for any insider or user holding chat command access. The critical concern is persistence: rogue devices enrolled with operator or node-level capabilities retain valid credentials indefinitely until manually revoked, surviving password resets and typical credential rotation cycles. Organizations running OpenClaw should immediately upgrade to 2026.5.4 or later and audit all existing device pairings for unauthorized enrollments.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk for any OpenClaw deployment with multi-user chat access. The CVSS 8.3 score reflects low attack complexity and no user interaction required—any chat-authenticated user can trigger the bypass. The greatest concern is the persistent credential grant: once a rogue device is enrolled, access is maintained indefinitely until an administrator manually removes it, well beyond typical incident detection windows. While not currently in CISA KEV and lacking a public exploit, the simplicity of the attack—requiring no AI/ML expertise, only valid chat credentials—means insider threats and compromised accounts pose immediate risk to any affected deployment.

Attack Kill Chain

Initial Access

Attacker obtains or already holds a low-privileged chat sender account with command access to an OpenClaw deployment, requiring no special privileges beyond basic chat authentication.

AML.T0012

Authorization Bypass

Attacker sends a device-pairing bootstrap command via chat; the device-pair plugin's missing scope validation (CWE-862) processes the request without verifying device ownership.

AML.T0049

Credential Acquisition

Plugin returns a valid setup code that the attacker uses to enroll an attacker-controlled device with operator or node-level capabilities in the OpenClaw network.

AML.T0106

Persistent Access

Enrolled rogue device retains valid credentials indefinitely, enabling ongoing agent command execution and access to agent workflows until an administrator manually removes the enrollment.

AML.T0053

Initial Access

Attacker obtains or already holds a low-privileged chat sender account with command access to an OpenClaw deployment, requiring no special privileges beyond basic chat authentication.

AML.T0012

Authorization Bypass

Attacker sends a device-pairing bootstrap command via chat; the device-pair plugin's missing scope validation (CWE-862) processes the request without verifying device ownership.

AML.T0049

Credential Acquisition

Plugin returns a valid setup code that the attacker uses to enroll an attacker-controlled device with operator or node-level capabilities in the OpenClaw network.

AML.T0106

Persistent Access

Enrolled rogue device retains valid credentials indefinitely, enabling ongoing agent command execution and access to agent workflows until an administrator manually removes the enrollment.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
openclaw	pip	—	No patch
4 dependents 87% patched ~0d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

8.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A Low

What should I do?

5 steps

Upgrade immediately to OpenClaw 2026.5.4 or later, which addresses the missing scope validation in the device-pair plugin.
Audit all currently paired devices via the admin console and revoke any unauthorized or unrecognized device enrollments.
Restrict device-pair plugin access to owner-scoped accounts only within your authorization configuration.
Enable logging and alerting on all device pairing events to detect future unauthorized enrollment attempts.
If immediate patching is not feasible, disable the device-pair plugin entirely or restrict chat command access to trusted operator accounts only.

Classification

Auth Bypass Code Execution Agent Plugin AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

6.1.2 - AI risk treatment

NIST AI RMF

GOVERN 1.1 - Policies and processes for AI risk management

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-32905?

OpenClaw, an AI agent framework, contains a missing authorization check (CWE-862) in its bundled device-pair plugin that allows any authenticated chat sender—regardless of device ownership—to generate device-pairing bootstrap codes without scope validation. With a CVSS 8.3 (High), network-accessible, low-privilege-required, no-user-interaction attack path, exploitation is trivial for any insider or user holding chat command access. The critical concern is persistence: rogue devices enrolled with operator or node-level capabilities retain valid credentials indefinitely until manually revoked, surviving password resets and typical credential rotation cycles. Organizations running OpenClaw should immediately upgrade to 2026.5.4 or later and audit all existing device pairings for unauthorized enrollments.

Is CVE-2026-32905 actively exploited?

No confirmed active exploitation of CVE-2026-32905 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-32905?

1. Upgrade immediately to OpenClaw 2026.5.4 or later, which addresses the missing scope validation in the device-pair plugin. 2. Audit all currently paired devices via the admin console and revoke any unauthorized or unrecognized device enrollments. 3. Restrict device-pair plugin access to owner-scoped accounts only within your authorization configuration. 4. Enable logging and alerting on all device pairing events to detect future unauthorized enrollment attempts. 5. If immediate patching is not feasible, disable the device-pair plugin entirely or restrict chat command access to trusted operator accounts only.

What systems are affected by CVE-2026-32905?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-user AI agent deployments, AI automation pipelines, chat-driven agent orchestration.

What is the CVSS score for CVE-2026-32905?

CVE-2026-32905 has a CVSS v3.1 base score of 8.3 (HIGH).

AI Security Impact

Affected AI Architectures

agent frameworksmulti-user AI agent deploymentsAI automation pipelineschat-driven agent orchestration

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: 6.1.2

NIST AI RMF: GOVERN 1.1

OWASP LLM Top 10: LLM08

Technical Details

Original Advisory

OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup codes to enroll devices with operator/node capabilities, granting persistent credentials until manual removal.

Exploitation Scenario

An attacker holding a low-privileged chat account in an OpenClaw multi-user environment—whether a compromised team member or a user granted limited command access—issues a device-pairing bootstrap command via the chat interface. The missing scope validation in the device-pair plugin processes the request without verifying that the sender is the device owner, returning a valid setup code. The attacker uses this code to enroll an attacker-controlled machine or virtual device with operator or node-level capabilities. The enrolled device now holds persistent, legitimate credentials within the OpenClaw agent network, enabling ongoing access to agent task execution, data outputs, and connected systems—without triggering authentication alerts, as the device appears as a normally provisioned node.