AI Threat Alert AI Threat Alert

GHSA-xrq9-jm7v-g9h7

GHSA-xrq9-jm7v-g9h7 LOW
Published April 25, 2026

## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact A paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the...

Full CISO analysis pending enrichment.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw npm < 2026.4.20 2026.4.20
2 dependents 93% patched ~1d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

Recommended Action

Patch available

Update openclaw to version 2026.4.20

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is GHSA-xrq9-jm7v-g9h7?

OpenClaw: Paired-device pairing actions were not limited to the caller device

Is GHSA-xrq9-jm7v-g9h7 actively exploited?

No confirmed active exploitation of GHSA-xrq9-jm7v-g9h7 has been reported, but organizations should still patch proactively.

How to fix GHSA-xrq9-jm7v-g9h7?

Update to patched version: openclaw 2026.4.20.

What is the CVSS score for GHSA-xrq9-jm7v-g9h7?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact A paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling. This is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low. ## Fix Pairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests. Fix commit: - `5a12f30441d5b0b151f550daa2c5c9e8db61e2e6` ## Release Fixed in OpenClaw `2026.4.20`.

Weaknesses (CWE)

CWE-284 Improper Access Control Primary CWE-863 Incorrect Authorization Primary

References

Timeline

Published
April 25, 2026
Last Modified
April 25, 2026
First Seen
April 26, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
Back to Threat Feed