GHSA-xr4f-mjxj-w6w5: OpenClaw: chat auth bypass enables device pairing hijack

GHSA-xr4f-mjxj-w6w5 HIGH
Published July 2, 2026
CISO Take

OpenClaw's bundled device-pair plugin exposed the `/pair` bootstrap flow on normal chat commands, letting any authorized non-owner sender in a shared Telegram, Discord, or Slack channel generate a device-enrollment code without owner, admin, or pairing scope — a textbook incorrect-authorization flaw (CWE-863) scoring CVSS 8.3 due to high confidentiality and integrity impact. The blast radius here is architectural rather than volumetric: only 4 tracked downstream dependents and no EPSS/CISA KEV data exist yet since this is a same-day GHSA disclosure with no public exploit or Nuclei template, but the underlying package carries a concerning 0/100 risk score and 425 other CVEs, signaling a broader hygiene problem worth watching. The realistic exposure is any team running OpenClaw as a chat-operated agent with more than one authorized human in the channel — a common setup for shared ops or support bots — where a low-privilege colleague, contractor, or compromised chat account can silently mint themselves persistent operator/node credentials. Patch to `openclaw@2026.5.4` immediately, then audit and prune the paired-devices list for any unrecognized entries, since enrolled devices retain access until manually removed. Until patched, restrict chat-channel command access to trusted admins only as a compensating control.

Sources: GitHub Advisory ATLAS

What is the risk?

High severity (CVSS 8.3, AV:N/AC:L/PR:L/UI:N/C:H/I:H/A:L) but gated by a real precondition: the attacker must already be an authorized sender able to issue normal chat commands, so this is not exploitable by anonymous internet actors. Within that population, exploitation is low-complexity and requires no user interaction — a single chat command triggers code generation, and using it before expiry completes the takeover. No EPSS score, CISA KEV listing, public exploit, or scanner template exists yet given the advisory's same-day disclosure, so treat likelihood as currently unconfirmed rather than low; incorrect-authorization bugs in chat-command surfaces are straightforward to weaponize once details circulate. The package's 0/100 OpenSSF-style risk score and history of 425 prior CVEs argue for tightening operational hygiene around this dependency regardless of this specific fix.

How does the attack unfold?

Authorized Chat Access
Attacker already holds legitimate, non-owner permission to send commands to the OpenClaw agent through a configured Telegram, Discord, or Slack channel.
AML.T0012
Command Abuse
Attacker issues the `/pair` chat command, which the plugin processes without verifying owner, admin, or pairing scope, generating a valid device-bootstrap setup code.
AML.T0053
Device Enrollment
Attacker uses the setup code before expiry to enroll their own device, which the agent then trusts with operator/node capabilities.
AML.T0081
Persistent Impact
The rogue device retains standing credentials and privileged access to the agent until an administrator notices and manually removes it.
AML.T0091.000

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm < 2026.5.4 2026.5.4
4 dependents 41% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
8.3 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A Low

What should I do?

1 step
  1. 1) Upgrade to openclaw@2026.5.4 or later immediately — this is the only complete fix. 2) Audit the current list of paired devices and revoke/remove any entries you cannot attribute to a known, authorized device. 3) As a stopgap pre-patch, restrict chat-channel membership/command permissions so only owners/admins can interact with the agent, or disable the device-pair plugin if pairing isn't actively needed. 4) Post-patch, monitor for /pair-related command invocations from non-admin senders and alert on new device enrollments as a detection signal. 5) Given 425 other CVEs in this package, consider a broader dependency-hygiene review of the OpenClaw deployment.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.2 - AI system access control
NIST AI RMF
MANAGE-1.3 - Manage risks from third-party AI components
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-xr4f-mjxj-w6w5?

OpenClaw's bundled device-pair plugin exposed the `/pair` bootstrap flow on normal chat commands, letting any authorized non-owner sender in a shared Telegram, Discord, or Slack channel generate a device-enrollment code without owner, admin, or pairing scope — a textbook incorrect-authorization flaw (CWE-863) scoring CVSS 8.3 due to high confidentiality and integrity impact. The blast radius here is architectural rather than volumetric: only 4 tracked downstream dependents and no EPSS/CISA KEV data exist yet since this is a same-day GHSA disclosure with no public exploit or Nuclei template, but the underlying package carries a concerning 0/100 risk score and 425 other CVEs, signaling a broader hygiene problem worth watching. The realistic exposure is any team running OpenClaw as a chat-operated agent with more than one authorized human in the channel — a common setup for shared ops or support bots — where a low-privilege colleague, contractor, or compromised chat account can silently mint themselves persistent operator/node credentials. Patch to `openclaw@2026.5.4` immediately, then audit and prune the paired-devices list for any unrecognized entries, since enrolled devices retain access until manually removed. Until patched, restrict chat-channel command access to trusted admins only as a compensating control.

Is GHSA-xr4f-mjxj-w6w5 actively exploited?

No confirmed active exploitation of GHSA-xr4f-mjxj-w6w5 has been reported, but organizations should still patch proactively.

How to fix GHSA-xr4f-mjxj-w6w5?

1) Upgrade to `openclaw@2026.5.4` or later immediately — this is the only complete fix. 2) Audit the current list of paired devices and revoke/remove any entries you cannot attribute to a known, authorized device. 3) As a stopgap pre-patch, restrict chat-channel membership/command permissions so only owners/admins can interact with the agent, or disable the device-pair plugin if pairing isn't actively needed. 4) Post-patch, monitor for `/pair`-related command invocations from non-admin senders and alert on new device enrollments as a detection signal. 5) Given 425 other CVEs in this package, consider a broader dependency-hygiene review of the OpenClaw deployment.

What systems are affected by GHSA-xr4f-mjxj-w6w5?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-channel chat agents (Telegram/Discord/Slack bots), device/node pairing and enrollment systems.

What is the CVSS score for GHSA-xr4f-mjxj-w6w5?

GHSA-xr4f-mjxj-w6w5 has a CVSS v3.1 base score of 8.3 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-channel chat agents (Telegram/Discord/Slack bots)device/node pairing and enrollment systems

MITRE ATLAS Techniques

AML.T0053 AI Agent Tool Invocation
AML.T0081 Modify AI Agent Configuration
AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.2
NIST AI RMF: MANAGE-1.3
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

### Summary The bundled device-pair plugin exposed `/pair` on normal chat command surfaces. In affected releases, authorized non-owner chat senders could issue device-pairing bootstrap codes without having owner, admin, or pairing scope. This issue does not affect unauthenticated users. The caller must already be allowed to send commands to the agent through a configured chat channel. ### Affected configurations This affects deployments where the bundled device-pair plugin is enabled and a non-owner sender is authorized to use normal chat commands, such as in a configured Telegram, Discord, or Slack agent. ### Impact A non-owner authorized sender could create a setup code and use it before expiry to enroll a device with operator/node capabilities. That device would then retain persistent credentials until removed. ### Patched Versions The first stable patched version is `2026.5.4`. ### Mitigations Upgrade to `openclaw@2026.5.4` or later. Review paired devices and remove any unexpected entries. In shared chat channels, keep command access limited to users who should be allowed to manage device pairing.

Exploitation Scenario

A contractor or team member with legitimate but limited access to a shared Slack channel running an OpenClaw-powered agent issues the normal-looking `/pair` chat command. Because the plugin doesn't verify owner/admin/pairing scope on that command, the agent returns a valid device-pairing setup code directly in the channel. The sender (or anyone who saw the message) uses that code from their own device before it expires, enrolling it as an operator/node. The agent now trusts that device with persistent credentials, giving the attacker standing access to whatever the agent can do — read internal context, invoke tools, or act as a quasi-admin — until someone notices and manually removes the paired device.

Weaknesses (CWE)

CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Timeline

Published
July 2, 2026
Last Modified
July 2, 2026
First Seen
July 2, 2026

Related Vulnerabilities