GHSA-xr4f-mjxj-w6w5: OpenClaw: chat auth bypass enables device pairing hijack
GHSA-xr4f-mjxj-w6w5 HIGHOpenClaw's bundled device-pair plugin exposed the `/pair` bootstrap flow on normal chat commands, letting any authorized non-owner sender in a shared Telegram, Discord, or Slack channel generate a device-enrollment code without owner, admin, or pairing scope — a textbook incorrect-authorization flaw (CWE-863) scoring CVSS 8.3 due to high confidentiality and integrity impact. The blast radius here is architectural rather than volumetric: only 4 tracked downstream dependents and no EPSS/CISA KEV data exist yet since this is a same-day GHSA disclosure with no public exploit or Nuclei template, but the underlying package carries a concerning 0/100 risk score and 425 other CVEs, signaling a broader hygiene problem worth watching. The realistic exposure is any team running OpenClaw as a chat-operated agent with more than one authorized human in the channel — a common setup for shared ops or support bots — where a low-privilege colleague, contractor, or compromised chat account can silently mint themselves persistent operator/node credentials. Patch to `openclaw@2026.5.4` immediately, then audit and prune the paired-devices list for any unrecognized entries, since enrolled devices retain access until manually removed. Until patched, restrict chat-channel command access to trusted admins only as a compensating control.
What is the risk?
High severity (CVSS 8.3, AV:N/AC:L/PR:L/UI:N/C:H/I:H/A:L) but gated by a real precondition: the attacker must already be an authorized sender able to issue normal chat commands, so this is not exploitable by anonymous internet actors. Within that population, exploitation is low-complexity and requires no user interaction — a single chat command triggers code generation, and using it before expiry completes the takeover. No EPSS score, CISA KEV listing, public exploit, or scanner template exists yet given the advisory's same-day disclosure, so treat likelihood as currently unconfirmed rather than low; incorrect-authorization bugs in chat-command surfaces are straightforward to weaponize once details circulate. The package's 0/100 OpenSSF-style risk score and history of 425 prior CVEs argue for tightening operational hygiene around this dependency regardless of this specific fix.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | < 2026.5.4 | 2026.5.4 |
Do you use OpenClaw? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Upgrade to
openclaw@2026.5.4or later immediately — this is the only complete fix. 2) Audit the current list of paired devices and revoke/remove any entries you cannot attribute to a known, authorized device. 3) As a stopgap pre-patch, restrict chat-channel membership/command permissions so only owners/admins can interact with the agent, or disable the device-pair plugin if pairing isn't actively needed. 4) Post-patch, monitor for/pair-related command invocations from non-admin senders and alert on new device enrollments as a detection signal. 5) Given 425 other CVEs in this package, consider a broader dependency-hygiene review of the OpenClaw deployment.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-xr4f-mjxj-w6w5?
OpenClaw's bundled device-pair plugin exposed the `/pair` bootstrap flow on normal chat commands, letting any authorized non-owner sender in a shared Telegram, Discord, or Slack channel generate a device-enrollment code without owner, admin, or pairing scope — a textbook incorrect-authorization flaw (CWE-863) scoring CVSS 8.3 due to high confidentiality and integrity impact. The blast radius here is architectural rather than volumetric: only 4 tracked downstream dependents and no EPSS/CISA KEV data exist yet since this is a same-day GHSA disclosure with no public exploit or Nuclei template, but the underlying package carries a concerning 0/100 risk score and 425 other CVEs, signaling a broader hygiene problem worth watching. The realistic exposure is any team running OpenClaw as a chat-operated agent with more than one authorized human in the channel — a common setup for shared ops or support bots — where a low-privilege colleague, contractor, or compromised chat account can silently mint themselves persistent operator/node credentials. Patch to `openclaw@2026.5.4` immediately, then audit and prune the paired-devices list for any unrecognized entries, since enrolled devices retain access until manually removed. Until patched, restrict chat-channel command access to trusted admins only as a compensating control.
Is GHSA-xr4f-mjxj-w6w5 actively exploited?
No confirmed active exploitation of GHSA-xr4f-mjxj-w6w5 has been reported, but organizations should still patch proactively.
How to fix GHSA-xr4f-mjxj-w6w5?
1) Upgrade to `openclaw@2026.5.4` or later immediately — this is the only complete fix. 2) Audit the current list of paired devices and revoke/remove any entries you cannot attribute to a known, authorized device. 3) As a stopgap pre-patch, restrict chat-channel membership/command permissions so only owners/admins can interact with the agent, or disable the device-pair plugin if pairing isn't actively needed. 4) Post-patch, monitor for `/pair`-related command invocations from non-admin senders and alert on new device enrollments as a detection signal. 5) Given 425 other CVEs in this package, consider a broader dependency-hygiene review of the OpenClaw deployment.
What systems are affected by GHSA-xr4f-mjxj-w6w5?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-channel chat agents (Telegram/Discord/Slack bots), device/node pairing and enrollment systems.
What is the CVSS score for GHSA-xr4f-mjxj-w6w5?
GHSA-xr4f-mjxj-w6w5 has a CVSS v3.1 base score of 8.3 (HIGH).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0053 AI Agent Tool Invocation AML.T0081 Modify AI Agent Configuration AML.T0091.000 Application Access Token Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary The bundled device-pair plugin exposed `/pair` on normal chat command surfaces. In affected releases, authorized non-owner chat senders could issue device-pairing bootstrap codes without having owner, admin, or pairing scope. This issue does not affect unauthenticated users. The caller must already be allowed to send commands to the agent through a configured chat channel. ### Affected configurations This affects deployments where the bundled device-pair plugin is enabled and a non-owner sender is authorized to use normal chat commands, such as in a configured Telegram, Discord, or Slack agent. ### Impact A non-owner authorized sender could create a setup code and use it before expiry to enroll a device with operator/node capabilities. That device would then retain persistent credentials until removed. ### Patched Versions The first stable patched version is `2026.5.4`. ### Mitigations Upgrade to `openclaw@2026.5.4` or later. Review paired devices and remove any unexpected entries. In shared chat channels, keep command access limited to users who should be allowed to manage device pairing.
Exploitation Scenario
A contractor or team member with legitimate but limited access to a shared Slack channel running an OpenClaw-powered agent issues the normal-looking `/pair` chat command. Because the plugin doesn't verify owner/admin/pairing scope on that command, the agent returns a valid device-pairing setup code directly in the channel. The sender (or anyone who saw the message) uses that code from their own device before it expires, enrolling it as an operator/node. The agent now trusts that device with persistent credentials, giving the attacker standing access to whatever the agent can do — read internal context, invoke tools, or act as a quasi-admin — until someone notices and manually removes the paired device.
Weaknesses (CWE)
CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
- [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
- [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw