<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Openclaw (&lt; 2026.5.4) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/openclaw--2026.5.4/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 12:02:47 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/openclaw--2026.5.4/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenClaw Device Pairing Vulnerability Allows Unauthorized Device Enrollment</title><link>https://feed.craftedsignal.io/briefs/2026-07-openclaw-device-pairing-vulnerability/</link><pubDate>Fri, 03 Jul 2026 12:02:47 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-openclaw-device-pairing-vulnerability/</guid><description>A high-severity vulnerability (affecting OpenClaw versions prior to 2026.5.4) in the bundled device-pair plugin allowed authorized non-owner chat senders to issue device-pairing bootstrap codes, enabling them to enroll devices with operator/node capabilities and gain persistent unauthorized access within the OpenClaw environment.</description><content:encoded><![CDATA[<p>A significant vulnerability has been identified in the <code>openclaw</code> project, specifically within its bundled device-pair plugin, affecting versions prior to <code>2026.5.4</code>. This flaw allows existing, authenticated users who are not designated as owners, administrators, or possessing explicit pairing scope, to exploit the chat agent's <code>/pair</code> command endpoint. By sending specific chat commands, these non-owner users can illicitly generate and retrieve device-pairing bootstrap codes. An attacker can then leverage these codes to enroll new devices with full &quot;operator/node capabilities&quot; into the <code>openclaw</code> system. This results in persistent unauthorized access and control over the environment. The issue is critical for deployments where the <code>device-pair</code> plugin is enabled and chat channels (e.g., Telegram, Discord, Slack) are configured to allow non-owner command execution. This vulnerability does not affect unauthenticated users, as it requires prior authorized access to a chat channel.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access (Prerequisite)</strong>: An attacker gains legitimate, non-owner access to a chat channel (e.g., Telegram, Discord, Slack) that is configured to interact with an <code>openclaw</code> agent.</li>
<li><strong>Command Execution</strong>: The attacker sends a chat command to the <code>openclaw</code> agent, specifically targeting the exposed <code>/pair</code> command surface.</li>
<li><strong>Vulnerability Exploitation</strong>: The <code>openclaw</code> agent, due to the vulnerability in versions prior to <code>2026.5.4</code>, processes the <code>/pair</code> command from the non-owner user, despite their lack of explicit pairing privileges.</li>
<li><strong>Bootstrap Code Generation</strong>: The vulnerable agent generates and issues a device-pairing bootstrap code, transmitting it to the attacker via the chat channel.</li>
<li><strong>Device Enrollment</strong>: The attacker uses the acquired bootstrap code before its expiry to enroll a new, unauthorized device with the <code>openclaw</code> system.</li>
<li><strong>Privilege Gain &amp; Persistence</strong>: The newly enrolled device is automatically granted &quot;operator/node capabilities&quot; and establishes &quot;persistent credentials,&quot; effectively escalating the attacker's access and control within the <code>openclaw</code> environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an unauthorized individual, who already has basic chat access, to gain significant control over the <code>openclaw</code> environment. By enrolling devices with operator/node capabilities, the attacker can achieve persistent access, potentially leading to data manipulation, unauthorized operations, or further compromise of integrated systems. This issue primarily impacts organizations using <code>openclaw</code> with chat agent integrations (like Telegram, Discord, or Slack) where the <code>device-pair</code> plugin is enabled and command access is not strictly limited to trusted personnel. The impact is the establishment of a backdoor-like persistence mechanism via the unauthorized enrollment of a new device.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade <code>openclaw</code> to version <code>2026.5.4</code> or later to remediate the vulnerability.</li>
<li>Review all currently paired devices within your <code>openclaw</code> deployment and remove any unexpected or unauthorized entries to revoke persistent access gained through this vulnerability.</li>
<li>In shared chat channels where the <code>openclaw</code> agent is configured, limit command access to only those users who are explicitly authorized and trusted to manage device pairing, as outlined in the &quot;Mitigations&quot; section of the advisory.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>application</category><category>privilege-escalation</category><category>persistence</category><category>npm</category></item></channel></rss>