#VU125234 Improper access control in OpenClaw - CVE-2026-33579
Published: April 8, 2026
Vulnerability identifier: #VU125234
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-33579
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenClaw
OpenClaw
Software vendor:
OpenClaw
OpenClaw
Description
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in /pair approve command path in extensions/device-pair/index.ts and src/infra/device-pairing.ts when approving pending device requests. A remote user can approve a pending device request asking for broader scopes to escalate privileges.
The issue occurs because caller scopes were not forwarded into the core approval check.
Remediation
Install security update from vendor's website.