CVE-2026-32987

CRITICAL EPSS 27.0%
Published Mar 29, 20263mo ago · Modified Jun 17, 20261w ago
9.3 CVSS 4.0
Critical
Find Similar
Published Mar 29, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin.

CVSS Details

Base Score
9.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
27.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-294

Affected Products 1

VendorProductVersionRange
openclawopenclaw* <2026.3.13

References 3

  • github.com https://github.com/openclaw/openclaw/commit/1803d16d5cec970c54b0e1ac46b31b1cbade335c
    Patch
  • github.com https://github.com/openclaw/openclaw/security/advisories/GHSA-63f5-hhc7-cx6p
    Vendor Advisory
  • vulncheck.com https://www.vulncheck.com/advisories/openclaw-bootstrap-setup-code-replay-via-device-pairing
    Third Party Advisory

Remediation

  • github.com https://github.com/openclaw/openclaw/commit/1803d16d5cec970c54b0e1ac46b31b1cbade335c
    Patch