DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-7H7G-X2PX-94HJ: GHSA-7H7G-X2PX-94HJ: Credential Exposure in OpenClaw Device Pairing

#security #cve #cybersecurity #ghsa

GHSA-7H7G-X2PX-94HJ: Credential Exposure in OpenClaw Device Pairing

Vulnerability ID: GHSA-7H7G-X2PX-94HJ
CVSS Score: 5.3
Published: 2026-03-13

The OpenClaw personal AI assistant ecosystem suffers from an insufficiently protected credentials vulnerability (CWE-522) during the device pairing process. The Gateway generates setup codes that embed permanent, shared authentication tokens rather than ephemeral bootstrap keys. Interception of these codes grants an attacker persistent access to the user's Gateway, exposing integrated AI service API keys, chat histories, and agent configurations. The vulnerability is resolved in version v2026.3.12 through the implementation of short-lived, per-device session credentials.

TL;DR

OpenClaw versions prior to v2026.3.12 expose long-lived gateway credentials in device pairing QR codes and setup strings, enabling persistent unauthorized access if intercepted.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Insufficiently Protected Credentials (CWE-522)
  • Attack Vector: Physical / Adjacent / Network (via intercepted setup payload)
  • Impact: Persistent Unauthorized Gateway Access
  • Exploit Status: Proof of Concept (PoC)
  • CVSS Score: 5.3 (Moderate)
  • CISA KEV: Not Listed

Affected Systems

  • OpenClaw Gateway
  • OpenClaw CLI
  • openclaw npm package
  • openclaw: < v2026.3.12 (Fixed in: v2026.3.12)

Mitigation Strategies

  • Upgrade the openclaw package to the patched version (v2026.3.12 or later).
  • Rotate and regenerate all Gateway authentication tokens after upgrading.
  • Audit paired devices regularly using the OpenClaw CLI.
  • Ensure pairing QR codes are generated and scanned only in secure, private environments.

Remediation Steps:

  1. Open a terminal and run npm install -g openclaw@latest to install version v2026.3.12 or newer.
  2. Restart the OpenClaw Gateway service to apply the new binary.
  3. Run the token regeneration command specific to your Gateway deployment to invalidate old long-lived tokens.
  4. Run openclaw pairing list to review all connected devices.
  5. Remove any unrecognized devices from the authorized pairings list.

References

Read the full report for GHSA-7H7G-X2PX-94HJ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)