1  info:
 2    name: OpenClaw
 3    cve: GHSA-553v-f69r-656j
 4    summary: OpenClaw Unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth
 5    details: >-
 6      Summary
 7  
 8      A client using shared gateway auth could attach an unpaired device identity and request elevated operator scopes (including
 9      operator.admin) before pairing approval, enabling privilege escalation.
10  
11  
12      Impact
13  
14      Attackers with valid shared gateway auth could self-assign higher operator scopes by presenting a self-signed, unpaired
15      device identity.
16  
17  
18      Affected Packages / Versions
19  
20      - Package: openclaw (npm)
21  
22      - Affected: >= 2026.2.22 <= 2026.2.24
23  
24      - Latest published npm at triage time: 2026.2.24
25  
26      - Planned patched release: 2026.2.25
27  
28  
29      Remediation
30  
31      Require pairing for operator device-identity sessions authenticated with shared token/password auth (except existing control-ui
32      trusted-proxy/control-ui bypass policy paths).
33    cvss: ''
34    severity: MEDIUM
35    security_advise: Upgrade openclaw to >= 2026.2.25 or later. Commit(s) - 8d1481cb4a9d31bd617e52dc8c392c35689d9dea
36    references:
37    - https://github.com/openclaw/openclaw/security/advisories/GHSA-553v-f69r-656j
38  rule: version >= "2026.2.22" && version <= "2026.2.24"
39  references:
40  - https://github.com/openclaw/openclaw/security/advisories/GHSA-553v-f69r-656j