Plattform
nodejs
Komponente
openclaw
Behoben in
2026.3.12
CVE-2026-33575 affects OpenClaw versions prior to 2026.3.12. The vulnerability stems from the embedding of long-lived shared gateway credentials directly within pairing setup codes generated by the /pair endpoint and OpenClaw qr command. This allows attackers who gain access to these codes, whether through chat history, logs, or screenshots, to recover and misuse the credentials, bypassing the intended one-time pairing flow.
The primary impact of CVE-2026-33575 is the potential for unauthorized access to OpenClaw instances. An attacker possessing a leaked pairing setup code can effectively impersonate a legitimate user and gain control over the associated gateway. This could lead to data breaches, manipulation of system configurations, and potentially, lateral movement within a network if the OpenClaw instance has access to other resources. The blast radius is dependent on the permissions granted to the compromised gateway; a gateway with broad access could have significant consequences. While no direct precedent exists mirroring this exact scenario, the principle of credential leakage and reuse is a common attack vector, similar to vulnerabilities involving hardcoded API keys or improperly secured tokens.
CVE-2026-33575 was published on 2026-03-29. Its severity is rated as High (CVSS 7.5). Currently, there are no publicly known Proof-of-Concept (POC) exploits. The vulnerability is not listed on KEV or EPSS, indicating a low to medium probability of active exploitation at this time. However, the ease of exploitation if a pairing code is leaked warrants careful attention and proactive mitigation.
OpenClaw deployments, particularly those that utilize chat platforms or other communication channels where pairing codes might be inadvertently shared, are at risk. Organizations that have not implemented robust log management practices and access controls are also more vulnerable. Any environment where screenshots or logs containing pairing codes are stored or transmitted are potentially exposed.
disclosure
Exploit-Status
EPSS
0.04% (14% Perzentil)
CISA SSVC
CVSS-Vektor
The immediate mitigation for CVE-2026-33575 is to upgrade OpenClaw to version 2026.3.12 or later, which addresses the credential embedding issue. If upgrading is not immediately feasible, consider reviewing chat logs, system logs, and any publicly shared screenshots for potentially leaked pairing codes. Revoke any credentials suspected of being compromised. Implement stricter access controls and monitoring around the /pair endpoint to detect and prevent unauthorized pairing attempts. While a WAF or proxy cannot directly prevent the embedding of credentials, they can be configured to monitor for suspicious activity related to the pairing process and alert administrators to potential breaches. After upgrading, verify the fix by attempting to generate a new pairing code and confirming that the credential is not embedded within it.
Actualice OpenClaw a la versión 2026.3.12 o posterior. Esto corrige la vulnerabilidad que expone credenciales de larga duración en los códigos de configuración de emparejamiento.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33575 is a high-severity vulnerability in OpenClaw versions 0.0 - 2026.3.12 where pairing setup codes embed long-lived gateway credentials, allowing attackers to reuse them.
If you are running OpenClaw versions 0.0 to 2026.3.12, you are potentially affected. Check your version and upgrade immediately.
Upgrade OpenClaw to version 2026.3.12 or later to resolve the vulnerability. Consider disabling the /pair endpoint as a temporary measure.
There is currently no confirmed active exploitation, but the vulnerability's nature suggests a potential for future attacks.
Refer to the official OpenClaw security advisory for detailed information and updates: [Replace with actual advisory URL when available]
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.