Executive Summary
A critical-severity privilege escalation vulnerability (CVE-2026-32987, CVSS 9.8) has been disclosed in OpenClaw versions prior to 2026.3.13. The flaw resides in the device bootstrap pairing flow (src/infra/device-bootstrap.ts), which allows a valid bootstrap setup code to be replayed multiple times before the pairing request is approved. An attacker who obtains a valid setup code can verify it repeatedly to progressively escalate the scope of the pending pairing request, ultimately reaching operator.admin privilege — the highest available privilege level.
CVSS Score: 9.8 (Critical)
Published to the NVD on March 29, 2026, this vulnerability is particularly dangerous in any environment where device bootstrap codes can be observed or intercepted.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-32987 |
| CVSS Score | 9.8 (Critical) |
| CWE | CWE-294: Authentication Bypass by Capture-replay |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Vulnerable Component | src/infra/device-bootstrap.ts — bootstrap setup code verification |
| Root Cause | Setup codes not invalidated after single use during pending pairing window |
Affected Products
| Vendor | Product | Affected Versions | Fixed Version |
|---|---|---|---|
| OpenClaw | OpenClaw | All versions before 2026.3.13 | 2026.3.13 |
Vulnerability Details
Bootstrap Code Replay Attack
OpenClaw uses a bootstrap setup code mechanism during the device pairing process. A setup code is generated, shared with the user, and must be verified before the pairing is approved and scopes are granted. The vulnerability is that the setup code verification endpoint does not invalidate the code after the first successful verification — allowing it to be submitted multiple times while the pairing request remains in a pending (pre-approval) state.
Each successful re-verification causes the pending pairing request to accumulate additional scopes. By replaying the code enough times, an attacker can escalate the pending pairing to include operator.admin — the highest privilege scope in OpenClaw.
Attack flow:
1. Attacker obtains a valid bootstrap setup code (e.g., via interception, shoulder surfing,
or log access during a legitimate pairing session)
2. Attacker submits the setup code to the verification endpoint — first verification succeeds,
pairing request enters "pending" state with initial scope
3. Attacker resubmits the same setup code — second verification succeeds,
pairing scope escalates
4. Attacker continues replaying the code until pairing scope includes operator.admin
5. When the pairing is eventually approved (by a legitimate admin or the attacker),
the device receives operator.admin privilegesImpact of Successful Exploitation
An attacker who successfully exploits this vulnerability gains operator.admin access, which in OpenClaw provides:
- Full administrative control over the OpenClaw instance
- Ability to add, remove, or modify agents — backdoor or disable monitoring agents
- Access to all configured integrations and secrets — credentials, API keys, webhooks
- Control over all channels and message routing — intercept or inject into any channel
- Ability to modify allowlists and security policies — permanently weaken the security posture
The escalation to operator.admin effectively constitutes a full platform compromise.
Deployment Context and Risk
The bootstrap pairing process is a one-time setup operation but may be triggered repeatedly in dynamic environments (e.g., automated device provisioning, cloud deployments, or CI/CD agent registration). Any environment where setup codes are transmitted over networks or logged is at elevated risk.
| Deployment Context | Risk Level | Notes |
|---|---|---|
| Automated device provisioning pipelines | Critical | Codes may be logged or visible in CI/CD outputs |
| Cloud-based OpenClaw deployments | Critical | Network interception of setup codes possible |
| Multi-admin environments | Critical | Rogue admin can replay codes before approval |
| Development/staging environments | High | Often less access-controlled; codes frequently reused |
Recommended Mitigations
1. Upgrade Immediately
Upgrade to OpenClaw 2026.3.13, which patches device-bootstrap.ts to invalidate bootstrap codes after the first successful verification, preventing replay.
# Upgrade OpenClaw to 2026.3.13 or later2. Audit Pending Pairing Requests
Immediately audit any pending device pairing requests for unexpected scope escalation:
1. List all pending pairing requests in your OpenClaw admin panel
2. Check the requested scopes for any requests with operator.admin
3. Reject any suspicious requests immediately
4. Review who initiated each pending request3. Treat Bootstrap Codes as Secrets
Bootstrap setup codes must be treated with the same sensitivity as authentication tokens:
- Transmit codes only via secure, encrypted channels
- Never log setup codes in plaintext in CI/CD pipelines or application logs
- Use short expiry windows for setup codes where configurable
- Deliver codes out-of-band (e.g., in-person, encrypted message) rather than via the same channel as the pairing request
4. Monitor for Exploitation Indicators
| Indicator | Description |
|---|---|
| Multiple verifications of the same setup code | Replay attack in progress |
| Pending pairing requests with operator.admin scope | Possible escalation via replay |
| Pairing requests from unexpected IP addresses | Attacker-initiated pairing |
| Bootstrap verification events outside expected provisioning windows | Unauthorized device registration |
Post-Remediation Checklist
- Upgrade to 2026.3.13 — confirm that setup codes are invalidated after first use
- Audit and reject suspicious pending pairings — cancel any with unexpected scope
- Rotate operator.admin credentials — if escalation occurred, treat all operator.admin tokens as compromised
- Review device pairing logs — identify any devices that may have received elevated scopes through replay
- Audit all operators and agents for unexpected permissions granted during the vulnerable window