Skip to content
Threat Feed
high advisory

OpenClaw Credential Exposure via Leaked Pairing Codes

OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials in pairing setup codes, allowing attackers with access to leaked codes to reuse credentials and gain unauthorized access.

OpenClaw versions before 2026.3.12 are vulnerable to credential exposure. The vulnerability stems from the embedding of long-lived shared gateway credentials directly into pairing setup codes. These codes are generated by the /pair endpoint and the OpenClaw qr command. An attacker who obtains these setup codes through various means, such as leaked chat histories, logs, or screenshots, can extract the embedded credentials. This allows the attacker to bypass the intended one-time pairing flow and gain unauthorized access to the shared gateway. The exposure of these credentials could lead to further unauthorized access and potential compromise of sensitive data.

Attack Chain

  1. A user generates a pairing setup code using the /pair endpoint or OpenClaw qr command. This code contains the embedded shared gateway credentials.
  2. The setup code is shared with the intended recipient via chat, logs or screenshots.
  3. The attacker gains access to the setup code through compromised chat history, exposed logs, or publicly shared screenshots.
  4. The attacker extracts the long-lived shared gateway credential from the setup code.
  5. The attacker reuses the stolen shared gateway credentials outside of the intended one-time pairing flow.
  6. The attacker gains unauthorized access to the shared gateway.
  7. The attacker leverages the access gained via the gateway for further malicious activities.

Impact

Successful exploitation of this vulnerability allows attackers to bypass the intended one-time pairing flow and gain unauthorized access to the shared gateway. The number of potential victims is dependent on the number of OpenClaw deployments and the exposure of pairing setup codes. The primary impact is unauthorized access and potential compromise of sensitive data accessible through the shared gateway.

Recommendation

  • Upgrade OpenClaw to version 2026.3.12 or later to remediate the vulnerability (CVE-2026-33575).
  • Implement strict controls over the handling and storage of pairing setup codes to prevent unauthorized access.
  • Monitor network traffic for suspicious activity originating from OpenClaw gateways, potentially indicating unauthorized access using leaked credentials.
  • Deploy the Sigma rule to detect the usage of the /pair endpoint which could indicate unauthorized pairing attempts.

Detection coverage 2

Detect OpenClaw /pair Endpoint Access

medium

Detects access to the /pair endpoint, potentially indicating unauthorized pairing attempts or credential exposure.

sigma tactics: credential_access techniques: T1552 sources: webserver, linux

Detect OpenClaw QR Code Generation Command

info

Detects execution of the `OpenClaw qr` command, potentially indicating pairing setup code generation.

sigma tactics: credential_access techniques: T1552 sources: process_creation, linux

Detection queries are kept inside the platform. Get full rules →