OpenClaw Device Pairing Vulnerability Allows Unauthorized Device Enrollment
A high-severity vulnerability (affecting OpenClaw versions prior to 2026.5.4) in the bundled device-pair plugin allowed authorized non-owner chat senders to issue device-pairing bootstrap codes, enabling them to enroll devices with operator/node capabilities and gain persistent unauthorized access within the OpenClaw environment.
A significant vulnerability has been identified in the openclaw project, specifically within its bundled device-pair plugin, affecting versions prior to 2026.5.4. This flaw allows existing, authenticated users who are not designated as owners, administrators, or possessing explicit pairing scope, to exploit the chat agent's /pair command endpoint. By sending specific chat commands, these non-owner users can illicitly generate and retrieve device-pairing bootstrap codes. An attacker can then leverage these codes to enroll new devices with full "operator/node capabilities" into the openclaw system. This results in persistent unauthorized access and control over the environment. The issue is critical for deployments where the device-pair plugin is enabled and chat channels (e.g., Telegram, Discord, Slack) are configured to allow non-owner command execution. This vulnerability does not affect unauthenticated users, as it requires prior authorized access to a chat channel.
Attack Chain
- Initial Access (Prerequisite): An attacker gains legitimate, non-owner access to a chat channel (e.g., Telegram, Discord, Slack) that is configured to interact with an
openclawagent. - Command Execution: The attacker sends a chat command to the
openclawagent, specifically targeting the exposed/paircommand surface. - Vulnerability Exploitation: The
openclawagent, due to the vulnerability in versions prior to2026.5.4, processes the/paircommand from the non-owner user, despite their lack of explicit pairing privileges. - Bootstrap Code Generation: The vulnerable agent generates and issues a device-pairing bootstrap code, transmitting it to the attacker via the chat channel.
- Device Enrollment: The attacker uses the acquired bootstrap code before its expiry to enroll a new, unauthorized device with the
openclawsystem. - Privilege Gain & Persistence: The newly enrolled device is automatically granted "operator/node capabilities" and establishes "persistent credentials," effectively escalating the attacker's access and control within the
openclawenvironment.
Impact
Successful exploitation of this vulnerability allows an unauthorized individual, who already has basic chat access, to gain significant control over the openclaw environment. By enrolling devices with operator/node capabilities, the attacker can achieve persistent access, potentially leading to data manipulation, unauthorized operations, or further compromise of integrated systems. This issue primarily impacts organizations using openclaw with chat agent integrations (like Telegram, Discord, or Slack) where the device-pair plugin is enabled and command access is not strictly limited to trusted personnel. The impact is the establishment of a backdoor-like persistence mechanism via the unauthorized enrollment of a new device.
Recommendation
- Immediately upgrade
openclawto version2026.5.4or later to remediate the vulnerability. - Review all currently paired devices within your
openclawdeployment and remove any unexpected or unauthorized entries to revoke persistent access gained through this vulnerability. - In shared chat channels where the
openclawagent is configured, limit command access to only those users who are explicitly authorized and trusted to manage device pairing, as outlined in the "Mitigations" section of the advisory.