OpenClaw Bootstrap Code Replay Vulnerability (CVE-2026-32987)
OpenClaw before 2026.3.13 is vulnerable to a replay attack during device pairing verification, allowing attackers to repeatedly verify a bootstrap code and escalate privileges to operator.admin.
OpenClaw before version 2026.3.13 contains a vulnerability in the device pairing verification process. Specifically, the src/infra/device-bootstrap.ts file allows bootstrap setup codes to be replayed. This means an attacker can repeatedly use the same valid bootstrap code before it is approved, leading to an escalation of pending pairing scopes. The most critical outcome is privilege escalation to the operator.admin level, granting the attacker significant control over the affected system…
Detection coverage 2
Detect Repeated Bootstrap Code Verification
highDetects multiple attempts to verify the same bootstrap code within a short time frame, indicative of a replay attack.
Detect Privilege Escalation to operator.admin
criticalDetects successful privilege escalation to operator.admin after bootstrap code verification.
Detection queries are kept inside the platform. Get full rules →
Indicators of compromise
1