CVE-2026-41909: Incorrect Authorization in OpenClaw Device Pairing
Vulnerability ID: GHSA-XRQ9-JM7V-G9H7
CVSS Score: 5.4
Published: 2026-04-25
The OpenClaw Agent Platform before version 2026.4.20 contains an incorrect authorization vulnerability (CWE-863) in its gateway pairing management module. A failure to distinguish between administrative operator sessions and device-level sessions allows compromised or malicious devices to view and manipulate pairing requests belonging to other devices within the same gateway scope.
TL;DR
OpenClaw versions prior to 2026.4.20 fail to properly scope pairing RPC methods, allowing any device token with the operator.pairing scope to globally list, approve, or reject pairing requests for unrelated devices.
⚠️ Exploit Status: POC
Technical Details
- CVE ID: CVE-2026-41909
- CWE ID: CWE-863
- CVSS v3.1 Score: 5.4 (Medium)
- Attack Vector: Network
- Privileges Required: Low
- EPSS Score: 0.00025
- Exploit Maturity: Proof of Concept
Affected Systems
- OpenClaw Agent Platform Gateway
-
OpenClaw: < 2026.4.20 (Fixed in:
2026.4.20)
Code Analysis
Commit: 5a12f30
Fix incorrect authorization in paired device pairing actions
Mitigation Strategies
- Upgrade the OpenClaw package to version 2026.4.20
- Audit recently paired devices for unauthorized additions
- Restrict the operator.pairing scope to essential devices only
Remediation Steps:
- Identify all deployments utilizing the OpenClaw gateway module.
- Update the project dependencies to require
openclaw@^2026.4.20. - Rebuild and redeploy the gateway applications.
- Review the gateway logs for unexpected calls to
device.pair.approveoriginating from device tokens.
References
- GitHub Security Advisory: GHSA-xrq9-jm7v-g9h7
- OpenClaw Fix Commit
- NVD Record for CVE-2026-41909
- VulnCheck Advisory
Read the full report for GHSA-XRQ9-JM7V-G9H7 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)