GHSA-hc5h-pmr3-3497 (CVE-2026-33579)

Details

Summary

The /pair approve command path called device approval without forwarding caller scopes into the core approval check.

Impact

A caller that held pairing privileges but not admin privileges could approve a pending device request asking for broader scopes, including admin access.

Affected Component

extensions/device-pair/index.ts, src/infra/device-pairing.ts

Fixed Versions

Affected: <= 2026.3.24
Patched: >= 2026.3.28
Latest stable 2026.3.28 contains the fix.

Fix

Fixed by commit 4ee4960de2 (Pairing: forward caller scopes during approval).

OpenClaw thanks @AntAISecurityLab for reporting.

Affected Packages

openclaw

npm

Fixed in:

2026.3.28

References

ADVISORY

https://github.com/advisories/GHSA-hc5h-pmr3-3497

PACKAGE

https://github.com/openclaw/openclaw

WEB

https://github.com/openclaw/openclaw/commit/4ee4960de2330b5322127f925f3687dc6f105be1

WEB

https://github.com/openclaw/openclaw/security/advisories/GHSA-hc5h-pmr3-3497

ADVISORY

https://nvd.nist.gov/vuln/detail/CVE-2026-33579

WEB

https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-missing-caller-scope-validation-in-device-pair-approval