OpenClaw Long-Lived Credential Exposure Vulnerability in Pairing Setup Codes
Vulnerability
A vulnerability in OpenClaw versions prior to 2026.3.12 allows for the exposure of long-lived shared gateway credentials within pairing setup codes generated by the '/pair' endpoint and the 'OpenClaw qr' command. This issue arises because the credentials are embedded directly in the setup codes, which can be accessed through chat history, logs, or screenshots. Attackers who obtain these setup codes can recover and misuse the shared gateway credentials, bypassing the intended one-time pairing process.
Impact
Exploitation of this vulnerability allows for the unauthorized reuse of shared gateway credentials, disrupting the intended one-time pairing flow and potentially leading to unauthorized access or actions within the application.
Remediation
Users are advised to update to OpenClaw version 2026.3.12 or later, and to rotate any shared gateway credentials that may have been exposed before the update.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.