Product
A high-severity vulnerability (affecting OpenClaw versions prior to 2026.5.4) in the bundled device-pair plugin allowed authorized non-owner chat senders to issue device-pairing bootstrap codes, enabling them to enroll devices with operator/node capabilities and gain persistent unauthorized access within the OpenClaw environment.