High severity8.3NVD Advisory· Published May 29, 2026· Updated May 29, 2026
CVE-2026-32905
CVE-2026-32905
Description
OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup codes to enroll devices with operator/node capabilities, granting persistent credentials until manual removal.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenClaw before 2026.5.4 allows non-owner authorized chat senders to issue device-pairing bootstrap codes, enabling unauthorized device enrollment with persistent credentials.
Vulnerability
OpenClaw before version 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin. This affects deployments where the device-pair plugin is enabled and a non-owner sender is authorized to use normal chat commands (e.g., via Telegram, Discord, or Slack). The plugin exposed the /pair command on chat surfaces without proper scope validation, allowing authorized non-owner users to issue device-pairing bootstrap codes that should require owner or admin privileges [1][2].
Exploitation
An attacker must already be an authorized sender on a configured chat channel. No authentication bypass or user interaction is required beyond normal command access. The attacker issues the /pair command to generate a bootstrap code, then uses that code before expiry to enroll a device with operator or node capabilities [1].
Impact
Successful exploitation grants the attacker persistent credentials for a device enrolled with operator or node capabilities on the OpenClaw agent. The device retains these credentials until manually removed by an owner. This could lead to unauthorized system access or control, depending on the device's role [1][2].
Mitigation
The first stable patched version is 2026.5.4. Users should upgrade to this version or later. As a workaround, review paired devices and remove any unexpected entries. In shared chat channels, keep command access limited to trusted users who should be allowed to manage device pairing [1].
References
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1325df3efefe9chore(release): bump to 2026.5.4
121 files changed · +197 −197
extensions/acpx/package.json+3 −3 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/acpx", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw ACP runtime backend", "repository": { "type": "git", @@ -25,10 +25,10 @@ "minHostVersion": ">=2026.4.25" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3", + "openclawVersion": "2026.5.4", "staticAssets": [ { "source": "./src/runtime-internals/mcp-proxy.mjs",
extensions/alibaba/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/alibaba-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Alibaba Model Studio video provider plugin", "type": "module",
extensions/amazon-bedrock-mantle/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/amazon-bedrock-mantle-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Amazon Bedrock Mantle (OpenAI-compatible) provider plugin", "type": "module",
extensions/amazon-bedrock/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/amazon-bedrock-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Amazon Bedrock provider plugin", "type": "module",
extensions/anthropic/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/anthropic-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Anthropic provider plugin", "type": "module",
extensions/anthropic-vertex/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/anthropic-vertex-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Anthropic Vertex provider plugin", "type": "module",
extensions/arcee/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/arcee-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Arcee provider plugin", "type": "module",
extensions/azure-speech/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/azure-speech", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Azure Speech plugin", "type": "module",
extensions/bluebubbles/package.json+4 −4 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/bluebubbles", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw BlueBubbles channel plugin", "repository": { "type": "git", @@ -12,7 +12,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": { @@ -53,10 +53,10 @@ "minHostVersion": ">=2026.4.10" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/bonjour/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/bonjour", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw Bonjour/mDNS gateway discovery", "type": "module", "dependencies": {
extensions/brave/package.json+3 −3 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/brave-plugin", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw Brave plugin", "repository": { "type": "git", @@ -20,10 +20,10 @@ "minHostVersion": ">=2026.4.10" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/browser/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/browser-plugin", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw browser tool plugin", "type": "module",
extensions/byteplus/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/byteplus-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw BytePlus provider plugin", "type": "module",
extensions/cerebras/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/cerebras-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Cerebras provider plugin", "type": "module",
extensions/chutes/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/chutes-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Chutes.ai provider plugin", "type": "module",
extensions/cloudflare-ai-gateway/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/cloudflare-ai-gateway-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Cloudflare AI Gateway provider plugin", "type": "module",
extensions/codex/package.json+3 −3 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/codex", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw Codex harness and model provider plugin", "repository": { "type": "git", @@ -27,10 +27,10 @@ "minHostVersion": ">=2026.5.1-beta.1" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/comfy/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/comfy-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw ComfyUI provider plugin", "type": "module",
extensions/copilot-proxy/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/copilot-proxy", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Copilot Proxy provider plugin", "type": "module",
extensions/deepgram/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/deepgram-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Deepgram media-understanding provider", "type": "module",
extensions/deepinfra/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/deepinfra-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw DeepInfra provider plugin", "type": "module",
extensions/deepseek/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/deepseek-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw DeepSeek provider plugin", "type": "module",
extensions/diagnostics-otel/package.json+3 −3 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/diagnostics-otel", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw diagnostics OpenTelemetry exporter", "repository": { "type": "git", @@ -34,10 +34,10 @@ "minHostVersion": ">=2026.4.25" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/diagnostics-prometheus/package.json+3 −3 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/diagnostics-prometheus", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw diagnostics Prometheus exporter", "repository": { "type": "git", @@ -21,10 +21,10 @@ "minHostVersion": ">=2026.4.25" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/diffs/package.json+3 −3 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/diffs", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw diff viewer plugin", "repository": { "type": "git", @@ -30,10 +30,10 @@ "minHostVersion": ">=2026.4.30" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3", + "openclawVersion": "2026.5.4", "staticAssets": [ { "source": "./assets/viewer-runtime.js",
extensions/discord/package.json+4 −4 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/discord", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw Discord channel plugin", "repository": { "type": "git", @@ -21,7 +21,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": { @@ -65,10 +65,10 @@ "allowInvalidConfigRecovery": true }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/document-extract/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/document-extract-plugin", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw local document extraction plugin", "type": "module",
extensions/duckduckgo/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/duckduckgo-plugin", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw DuckDuckGo plugin", "type": "module",
extensions/elevenlabs/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/elevenlabs-speech", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw ElevenLabs speech plugin", "type": "module",
extensions/exa/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/exa-plugin", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Exa plugin", "type": "module",
extensions/fal/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/fal-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw fal provider plugin", "type": "module",
extensions/feishu/package.json+4 −4 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/feishu", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)", "repository": { "type": "git", @@ -16,7 +16,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": { @@ -47,10 +47,10 @@ "minHostVersion": ">=2026.4.25" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/file-transfer/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/file-transfer", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw file transfer plugin (file_fetch, dir_list, dir_fetch, file_write)", "type": "module", "dependencies": {
extensions/firecrawl/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/firecrawl-plugin", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Firecrawl plugin", "type": "module",
extensions/fireworks/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/fireworks-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Fireworks provider plugin", "type": "module",
extensions/github-copilot/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/github-copilot-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw GitHub Copilot provider plugin", "type": "module",
extensions/googlechat/package.json+4 −4 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/googlechat", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw Google Chat channel plugin", "repository": { "type": "git", @@ -17,7 +17,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": { @@ -75,10 +75,10 @@ "minHostVersion": ">=2026.4.10" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/google-meet/package.json+4 −4 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/google-meet", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw Google Meet participant plugin", "repository": { "type": "git", @@ -16,7 +16,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": { @@ -33,10 +33,10 @@ "minHostVersion": ">=2026.4.20" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/google/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/google-plugin", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Google plugin", "type": "module",
extensions/gradium/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/gradium-speech", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Gradium speech plugin", "type": "module",
extensions/groq/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/groq-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Groq media-understanding provider", "type": "module",
extensions/huggingface/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/huggingface-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Hugging Face provider plugin", "type": "module",
extensions/image-generation-core/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/image-generation-core", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw image generation runtime package", "type": "module",
extensions/imessage/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/imessage", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw iMessage channel plugin", "type": "module",
extensions/inworld/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/inworld-speech", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Inworld speech plugin", "type": "module",
extensions/irc/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/irc", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw IRC channel plugin", "type": "module", "devDependencies": {
extensions/kilocode/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/kilocode-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Kilo Gateway provider plugin", "type": "module",
extensions/kimi-coding/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/kimi-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Kimi provider plugin", "type": "module",
extensions/line/package.json+4 −4 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/line", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw LINE channel plugin", "repository": { "type": "git", @@ -15,7 +15,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": { @@ -45,10 +45,10 @@ "minHostVersion": ">=2026.4.10" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/litellm/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/litellm-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw LiteLLM provider plugin", "type": "module",
extensions/llm-task/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/llm-task", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw JSON-only LLM task plugin", "type": "module",
extensions/lmstudio/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/lmstudio-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw LM Studio provider plugin", "type": "module",
extensions/lobster/package.json+3 −3 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/lobster", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "Lobster workflow tool plugin (typed pipelines + resumable approvals)", "repository": { "type": "git", @@ -25,10 +25,10 @@ "minHostVersion": ">=2026.4.25" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/matrix/package.json+2 −2 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/matrix", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw Matrix channel plugin", "repository": { "type": "git", @@ -21,7 +21,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": {
extensions/mattermost/package.json+2 −2 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/mattermost", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw Mattermost channel plugin", "repository": { "type": "git", @@ -15,7 +15,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": {
extensions/media-understanding-core/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/media-understanding-core", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw media understanding runtime package", "type": "module",
extensions/memory-core/package.json+2 −2 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/memory-core", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw core memory search plugin", "type": "module", @@ -14,7 +14,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": {
extensions/memory-lancedb/package.json+3 −3 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/memory-lancedb", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw LanceDB-backed long-term memory plugin with auto-recall/capture", "repository": { "type": "git", @@ -26,10 +26,10 @@ "minHostVersion": ">=2026.4.10" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/memory-wiki/package.json+2 −2 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/memory-wiki", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw persistent wiki plugin", "type": "module", @@ -13,7 +13,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": {
extensions/microsoft-foundry/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/microsoft-foundry", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Microsoft Foundry provider plugin", "type": "module",
extensions/microsoft/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/microsoft-speech", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Microsoft speech plugin", "type": "module",
extensions/migrate-claude/package.json+2 −2 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/migrate-claude", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "Claude to OpenClaw migration provider", "type": "module", @@ -9,7 +9,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": {
extensions/migrate-hermes/package.json+2 −2 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/migrate-hermes", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "Hermes to OpenClaw migration provider", "type": "module", @@ -12,7 +12,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": {
extensions/minimax/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/minimax-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw MiniMax provider and OAuth plugin", "type": "module",
extensions/mistral/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/mistral-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Mistral provider plugin", "type": "module",
extensions/moonshot/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/moonshot-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Moonshot provider plugin", "type": "module",
extensions/msteams/package.json+4 −4 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/msteams", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw Microsoft Teams channel plugin", "repository": { "type": "git", @@ -22,7 +22,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": { @@ -58,10 +58,10 @@ "minHostVersion": ">=2026.4.10" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/nextcloud-talk/package.json+4 −4 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/nextcloud-talk", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw Nextcloud Talk channel plugin", "repository": { "type": "git", @@ -15,7 +15,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": { @@ -47,10 +47,10 @@ "minHostVersion": ">=2026.4.10" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/nostr/package.json+4 −4 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/nostr", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw Nostr channel plugin for NIP-04 encrypted DMs", "repository": { "type": "git", @@ -16,7 +16,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": { @@ -54,10 +54,10 @@ "minHostVersion": ">=2026.4.10" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/nvidia/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/nvidia-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw NVIDIA provider plugin", "type": "module",
extensions/ollama/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/ollama-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Ollama provider plugin", "type": "module",
extensions/openai/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/openai-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw OpenAI provider plugins", "type": "module",
extensions/opencode-go/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/opencode-go-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw OpenCode Go provider plugin", "type": "module",
extensions/opencode/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/opencode-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw OpenCode Zen provider plugin", "type": "module",
extensions/open-prose/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/open-prose", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenProse VM skill pack plugin (slash command + telemetry).", "type": "module",
extensions/openrouter/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/openrouter-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw OpenRouter provider plugin", "type": "module",
extensions/openshell/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/openshell-sandbox", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw OpenShell sandbox backend", "type": "module",
extensions/perplexity/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/perplexity-plugin", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Perplexity plugin", "type": "module",
extensions/qa-channel/package.json+2 −2 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/qa-channel", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw QA synthetic channel plugin", "type": "module", @@ -18,7 +18,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": {
extensions/qa-lab/package.json+3 −3 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/qa-lab", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw QA lab plugin with private debugger UI and scenario runner", "type": "module", @@ -18,7 +18,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": { @@ -30,7 +30,7 @@ "./index.ts" ], "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" } } }
extensions/qa-matrix/package.json+3 −3 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/qa-matrix", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Matrix QA runner plugin", "type": "module", @@ -13,7 +13,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": { @@ -25,7 +25,7 @@ "./index.ts" ], "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" } } }
extensions/qianfan/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/qianfan-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Qianfan provider plugin", "type": "module",
extensions/qqbot/package.json+4 −4 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/qqbot", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": false, "description": "OpenClaw QQ Bot channel plugin", "repository": { @@ -21,7 +21,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": { @@ -50,10 +50,10 @@ "minHostVersion": ">=2026.4.10" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/qwen/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/qwen-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Qwen Cloud provider plugin", "type": "module",
extensions/runway/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/runway-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Runway video provider plugin", "type": "module",
extensions/searxng/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/searxng-plugin", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw SearXNG plugin", "type": "module",
extensions/senseaudio/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/senseaudio-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw SenseAudio media-understanding provider", "type": "module",
extensions/sglang/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/sglang-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw SGLang provider plugin", "type": "module",
extensions/signal/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/signal", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Signal channel plugin", "type": "module",
extensions/skill-workshop/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/skill-workshop", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw skill workshop plugin", "type": "module",
extensions/slack/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/slack", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Slack channel plugin", "type": "module",
extensions/speech-core/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/speech-core", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw speech runtime package", "type": "module",
extensions/stepfun/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/stepfun-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw StepFun provider plugin", "type": "module",
extensions/synology-chat/package.json+3 −3 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/synology-chat", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "Synology Chat channel plugin for OpenClaw", "repository": { "type": "git", @@ -33,10 +33,10 @@ "minHostVersion": ">=2026.4.10" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/synthetic/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/synthetic-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Synthetic provider plugin", "type": "module",
extensions/tavily/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/tavily-plugin", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Tavily plugin", "type": "module",
extensions/telegram/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/telegram", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Telegram channel plugin", "type": "module",
extensions/tencent/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/tencent-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Tencent Cloud provider plugin (TokenHub + Token Plan)", "type": "module",
extensions/tlon/package.json+4 −4 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/tlon", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw Tlon/Urbit channel plugin", "repository": { "type": "git", @@ -18,7 +18,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": { @@ -72,10 +72,10 @@ "minHostVersion": ">=2026.4.10" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/together/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/together-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Together provider plugin", "type": "module",
extensions/tokenjuice/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/tokenjuice", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "Bundled tokenjuice exec output compaction plugin", "type": "module", "dependencies": {
extensions/tts-local-cli/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/tts-local-cli", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw local CLI TTS plugin", "type": "module",
extensions/twitch/package.json+3 −3 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/twitch", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw Twitch channel plugin", "repository": { "type": "git", @@ -26,10 +26,10 @@ "minHostVersion": ">=2026.4.10" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "channel": { "id": "twitch",
extensions/venice/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/venice-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Venice provider plugin", "type": "module",
extensions/vercel-ai-gateway/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/vercel-ai-gateway-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Vercel AI Gateway provider plugin", "type": "module",
extensions/video-generation-core/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/video-generation-core", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw video generation runtime package", "type": "module",
extensions/vllm/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/vllm-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw vLLM provider plugin", "type": "module",
extensions/voice-call/package.json+4 −4 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/voice-call", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw voice-call plugin", "repository": { "type": "git", @@ -17,7 +17,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": { @@ -34,10 +34,10 @@ "minHostVersion": ">=2026.4.10" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/volcengine/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/volcengine-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Volcengine provider plugin", "type": "module",
extensions/voyage/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/voyage-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Voyage embedding provider plugin", "type": "module",
extensions/vydra/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/vydra-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Vydra media provider plugin", "type": "module",
extensions/webhooks/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/webhooks", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw webhook bridge plugin", "type": "module",
extensions/web-readability/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/web-readability-plugin", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw local Readability web extraction plugin", "type": "module",
extensions/whatsapp/package.json+4 −4 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/whatsapp", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw WhatsApp channel plugin", "repository": { "type": "git", @@ -19,7 +19,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": { @@ -61,10 +61,10 @@ "minHostVersion": ">=2026.4.25" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/xai/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/xai-plugin", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw xAI plugin", "type": "module",
extensions/xiaomi/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/xiaomi-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Xiaomi provider plugin", "type": "module",
extensions/zai/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/zai-provider", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "private": true, "description": "OpenClaw Z.AI provider plugin", "type": "module",
extensions/zalo/package.json+4 −4 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/zalo", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw Zalo channel plugin", "repository": { "type": "git", @@ -15,7 +15,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": { @@ -46,10 +46,10 @@ "minHostVersion": ">=2026.4.10" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
extensions/zalouser/package.json+4 −4 modified@@ -1,6 +1,6 @@ { "name": "@openclaw/zalouser", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "OpenClaw Zalo Personal Account plugin via native zca-js integration", "repository": { "type": "git", @@ -16,7 +16,7 @@ "openclaw": "workspace:*" }, "peerDependencies": { - "openclaw": ">=2026.5.4-beta.3" + "openclaw": ">=2026.5.4" }, "peerDependenciesMeta": { "openclaw": { @@ -53,10 +53,10 @@ "minHostVersion": ">=2026.4.10" }, "compat": { - "pluginApi": ">=2026.5.4-beta.3" + "pluginApi": ">=2026.5.4" }, "build": { - "openclawVersion": "2026.5.4-beta.3" + "openclawVersion": "2026.5.4" }, "release": { "publishToClawHub": true,
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "openclaw", - "version": "2026.5.4-beta.3", + "version": "2026.5.4", "description": "Multi-channel AI gateway with extensible messaging integrations", "keywords": [], "homepage": "https://github.com/openclaw/openclaw#readme",
src/config/schema.base.generated.ts+1 −1 modified@@ -29422,6 +29422,6 @@ export const GENERATED_BASE_CONFIG_SCHEMA: BaseConfigSchemaResponse = { tags: ["advanced", "url-secret"], }, }, - version: "2026.5.4-beta.3", + version: "2026.5.4", generatedAt: "2026-03-22T21:17:33.302Z", };
Vulnerability mechanics
Root cause
"Missing scope validation in the bundled device-pair plugin allows non-owner authorized chat senders to issue device-pairing bootstrap codes."
Attack vector
An attacker who already has chat command access (e.g., a non-owner authorized sender in a Nextcloud Talk, WhatsApp, Zalo, LINE, or other supported channel) can invoke the device-pair plugin's bootstrap-code generation command. The plugin does not validate whether the requester holds the "owner" scope required to enroll new devices. By sending a crafted chat command, the attacker obtains a setup code that can be used to enroll a device with operator/node capabilities, granting persistent credentials that remain valid until manually removed. The attack is network-based, requires low privileges (any authorized chat sender), and needs no user interaction.
Affected code
The vulnerability resides in the bundled device-pair plugin within OpenClaw. The patch does not show the specific plugin source files; only version metadata in package.json files across multiple extensions (nextcloud-talk, zalouser, zalo, whatsapp, voice-call, google-meet, tlon, line, bluebubbles, qqbot) is updated [patch_id=3102121]. The advisory does not specify the exact function or file path of the flawed scope check.
What the fix does
The patch [patch_id=3102121] is a version bump commit that updates all extension package.json files from version "2026.5.4-beta.3" to "2026.5.4" and updates peerDependency and compat.pluginApi constraints accordingly. The advisory states that the fix addresses an authorization bypass in the bundled device-pair plugin, but the provided diff does not contain the actual code changes to the plugin's authorization logic — those changes were presumably included in earlier commits within the 2026.5.4 release cycle. The remediation guidance is to upgrade to OpenClaw 2026.5.4 or later.
Preconditions
- authAttacker must be an authorized chat sender (non-owner) in a channel supported by OpenClaw (e.g., Nextcloud Talk, WhatsApp, Zalo, LINE).
- inputAttacker must be able to send chat commands that reach the device-pair plugin's bootstrap-code generation handler.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.