High severity8.3NVD Advisory· Published May 29, 2026· Updated Jun 1, 2026
CVE-2026-32905
CVE-2026-32905
Description
OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup codes to enroll devices with operator/node capabilities, granting persistent credentials until manual removal.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3Patches
Vulnerability mechanics
References
2- github.com/openclaw/openclaw/security/advisories/GHSA-xr4f-mjxj-w6w5nvdMitigationVendor Advisory
- www.vulncheck.com/advisories/openclaw-unauthorized-device-pairing-bootstrap-code-issuance-via-chat-commandnvdThird Party Advisory
News mentions
1- OpenClaw: Six Authorization and Scope Bypass CVEs Disclosed in Single AdvisoryVypr Intelligence · May 29, 2026