OpenClaw — CVE-2026-33579 Privilege Escalation via Missing Scope Validation in Device Pairing

OpenClaw — CVE-2026-33579 Privilege Escalation via Missing Scope Validation in Device Pairing

• CVE-2026-33579 (CVSS 9.8 Critical): A privilege escalation vulnerability in OpenClaw's /pair approve command path that fails to forward caller scopes into the core approval check
• A caller with basic pairing privileges — but no admin privileges — can approve pending device requests asking for broader scopes, including full admin access, by exploiting missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts
• Approximately 63% of internet-connected OpenClaw instances were running without any authentication at all, meaning attackers could walk in without any credentials and escalate to admin
• The patch was released on April 5, 2026, but the CVE listing didn't appear until April 8 — a two-day gap that gave attentive attackers a head start before most users would have known to update
• This is the sixth pairing-related vulnerability disclosed in OpenClaw in six weeks — all variations on the same underlying design flaw in how the tool handles permissions
• Each patch has addressed a specific exploit in isolation rather than rearchitecting the authorization system responsible for all of them
• Discovered by researchers at Blink; CVE assigned by VulnCheck using CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
• The fix commit (e403decb) adds proper scope propagation into the approval check, but the pattern of recurring pairing vulnerabilities suggests systemic authorization design issues

Why It Matters

OpenClaw is one of the most widely deployed AI agent frameworks, with users granting it access to local files, logged-in accounts, and application APIs — effectively giving it the same permissions as the user running it. A privilege escalation to admin level means complete control over the agent's capabilities, tool access, and connected services. The fact that six pairing vulnerabilities have emerged in six weeks points to a deeper architectural problem: patching individual exploits without redesigning the authorization model leaves the door open for the seventh variation. The 63% unauthenticated deployment rate means the vast majority of instances are trivially exploitable even before authentication bypasses are needed.

What To Do

• Update immediately — upgrade to OpenClaw version 2026.3.28 or later
• Enable authentication — ensure your OpenClaw instance requires authentication; never expose it on the internet without auth
• Audit activity logs — if you were running an unpatched version before April 2026, treat your instance as potentially compromised and review logs for unexpected tool calls, file access, or outbound connections
• Rotate credentials — any API keys, tokens, or service credentials accessible from your OpenClaw instance should be considered potentially exposed
• Monitor for follow-up CVEs — given the pattern of six pairing vulnerabilities in six weeks, expect additional disclosures and plan for ongoing patching
• Consider network isolation — run OpenClaw on a dedicated machine or container with limited access to sensitive resources; apply firewall rules to restrict inbound connections

Sources:

• NVD — CVE-2026-33579
• Ars Technica — Why OpenClaw Users Should Assume Compromise
• OpenClaw Security Advisory — GHSA-hc5h-pmr3-3497
• OpenClaw Fix Commit — e403decb