CVE-2026-32987 CRITICAL

CVE-2026-32987: OpenClaw < 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing

Vendor Openclaw
Product OpenClaw
Weakness CWE-294
Published March 29, 2026
Last update March 30, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin.

Key dates

02Disclosure timeline

March 29, 2026 CVE published
March 30, 2026 Record updated