Platform
nodejs
Component
openclaw
Fixed in
2026.3.28
2026.3.28
CVE-2026-33577 represents a privilege escalation vulnerability within OpenClaw, specifically affecting the node pairing approval process. This flaw allows a lower-privileged operator to potentially gain elevated privileges on a paired node by approving requests with broader scopes than initially intended. Versions of OpenClaw prior to 2026.3.28 are vulnerable, and the fix is available in version 2026.3.28.
The core impact of CVE-2026-33577 lies in the potential for privilege escalation. An attacker, operating with limited permissions, could exploit this vulnerability to approve a node pairing request that grants them significantly more access and control than they should possess. This could enable them to read sensitive data, modify configurations, or even execute arbitrary code on the paired node. The blast radius extends to any data or services accessible by the compromised node, potentially impacting the entire OpenClaw infrastructure. This vulnerability highlights a critical flaw in the access control mechanisms within OpenClaw’s node pairing process.
CVE-2026-33577 was publicly disclosed on 2026-04-01. There is currently no indication of active exploitation or a KEV listing. The vulnerability's severity is considered CRITICAL due to the potential for privilege escalation. Public proof-of-concept code is not currently available, but the vulnerability's nature suggests that it could be relatively straightforward to exploit once a suitable exploit is developed.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33577 is to immediately upgrade OpenClaw to version 2026.3.28 or later. This patched version includes the fix implemented in commit 4d7cc6bb4f which restricts node pairing approvals. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider implementing stricter access controls around node pairing approvals. Review existing approval policies and ensure that only authorized personnel with appropriate permissions can approve node requests. Monitor OpenClaw logs for any suspicious approval activity, particularly approvals granting unusually broad scopes. After upgrading, confirm the fix by attempting a node pairing request with a lower-privileged user and verifying that the approval process correctly enforces scope limitations.
Update OpenClaw to version 2026.3.28 or later. This version corrects the insufficient scope validation in the node pairing approval path, preventing low-privilege operators from approving nodes with broader scopes. The update mitigates the risk of attackers extending privileges to paired nodes beyond their authorization level.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33577 is a CRITICAL vulnerability in OpenClaw versions <= 2026.3.24 that allows a lower-privileged user to escalate privileges by approving node pairing requests with broader scopes.
You are affected if you are running OpenClaw versions 2026.3.24 or earlier. Versions 2026.3.28 and later are patched.
Upgrade OpenClaw to version 2026.3.28 or later. The fix is implemented in commit 4d7cc6bb4f.
There is currently no evidence of active exploitation, but the vulnerability's severity warrants immediate attention and patching.
Refer to the OpenClaw security advisories on their official website or GitHub repository for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.