CVE-2026-32987 - Vulnerability Details

OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openclaw	Openclaw

No data.

References

Link	Providers
https://github.com/openclaw/openclaw/commit/1803d16d5cec970c54b0e1ac46b31b1cbade335c
https://github.com/openclaw/openclaw/security/advisories/GHSA-63f5-hhc7-cx6p
https://www.vulncheck.com/advisories/openclaw-bootstrap-setup-code-replay-via-device-pairing

History

Sun, 29 Mar 2026 13:15:00 +0000

Type	Values Removed	Values Added
Description		OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin.
Title		OpenClaw < 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing
First Time appeared		Openclaw Openclaw openclaw
Weaknesses		CWE-294
CPEs		cpe:2.3:a:openclaw:openclaw::::::node.js::*
Vendors & Products		Openclaw Openclaw openclaw
References		https://github.com/openclaw/openclaw/commit/1803d16d5cec970c54b0e1ac46b31b1cbade335c https://github.com/openclaw/openclaw/security/advisories/GHSA-63f5-hhc7-cx6p https://www.vulncheck.com/advisories/openclaw-bootstrap-setup-code-replay-via-device-pairing
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-03-29T12:44:29.705Z

Updated: 2026-03-29T12:44:29.705Z

Reserved: 2026-03-17T11:31:56.956Z

Link: CVE-2026-32987

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-29T13:17:02.563

Modified: 2026-03-29T13:17:02.563

Link: CVE-2026-32987

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object