Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible by low-privileged operators (PR:L), but the AT:P re-pairing state prerequisite maps to AC:H; no availability or cross-system impact applies.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
OpenClaw before 2026.4.25 contains a scope containment bypass vulnerability in device re-pairing that allows authenticated operators to restore broader scopes than intended by submitting empty-scope re-pairing requests. Attackers can exploit this by sending re-pairing requests with empty scope sets to skip containment guards and retain unauthorized device access.
AnalysisAI
Scope containment bypass in OpenClaw before 2026.4.25 allows authenticated operators to recover broader device access than their current authorization permits by exploiting a missing validation path in the device re-pairing flow. By sending re-pairing requests with empty scope sets, an operator can silently skip containment guards and retain or restore access to devices outside their assigned scope boundaries - an especially significant risk in multi-tenant or shared-operator deployments. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Technical ContextAI
OpenClaw (CPE: cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) implements a device scope containment model that enforces per-operator access boundaries during device re-pairing operations. The root cause maps to CWE-636 ('Not Failing Securely / Using the Insecure Alternative'), a logic flaw class where the application, upon receiving an anomalous or empty input, chooses the insecure path - in this case, skipping containment guard evaluation entirely rather than rejecting or defaulting to minimal scope. The flaw is a server-side authorization enforcement failure in the re-pairing handler, not a memory corruption or injection vulnerability; the empty scope set acts as a sentinel that the guard code fails to handle as an invalid or restricted case.
RemediationAI
The primary remediation is to upgrade OpenClaw to version 2026.4.25 or later, which is confirmed as the fix version by the vendor GitHub Security Advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-8mg9-j9cf-54cj. If immediate patching is not feasible, restrict the device re-pairing API endpoint to only highly privileged or individually authorized accounts rather than general operator-level roles, thereby reducing the population of users who can invoke re-pairing. Additionally, deploy monitoring or alerting for re-pairing API requests that contain empty or null scope parameters - these are anomalous in normal operations and would indicate exploitation attempts. Neither workaround eliminates the underlying flaw, so patching remains the definitive resolution; the scope-restriction mitigation may cause operational disruption if operators legitimately need re-pairing access, so scoping of the restriction should be validated against operational requirements.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-636 – Not Failing Securely ('Failing Open')
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37154
GHSA-8mg9-j9cf-54cj