OpenClaw Improper Authorization Vulnerability in Paired-Device Pairing Management
Vulnerability
A vulnerability exists in OpenClaw versions prior to 2026.4.20, allowing improper authorization in paired-device pairing management. This issue enables limited-scope sessions to enumerate and act on pairing requests. Attackers with paired-device access can approve or manage unrelated pending device requests within the same gateway scope.
Impact
Exploitation of this vulnerability allows a paired device to access and manipulate pairing requests of other devices within the same gateway, creating an authorization flaw that could lead to unauthorized approval or rejection of device pairings.
Reproduction
The vulnerability can be reproduced by using a non-admin paired-device session to access the pairing management features. This can be done by sending requests to approve or reject device pairings that are not related to the caller device, within the same gateway scope.
Remediation
Users can update to OpenClaw version 2026.4.20 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.