CVE-2026-33579: Authorization Bypass in OpenClaw
Platform
nodejs
Component
openclaw
Fixed in
2026.3.28
2026.3.28
CVE-2026-33579 describes an authorization bypass vulnerability within OpenClaw. This flaw allows a user with pairing privileges, but not admin privileges, to approve device requests seeking broader scopes, potentially granting them administrative access. Versions of OpenClaw prior to 2026.3.28 are affected, with the fix released in version 2026.3.28.
Impact and Attack Scenarios
The primary impact of CVE-2026-33579 is the potential for privilege escalation. An attacker who has already established pairing privileges within OpenClaw, but lacks administrative rights, can exploit this vulnerability to approve device requests that request elevated permissions. This could allow them to gain full administrative control over the system, enabling actions such as modifying configurations, accessing sensitive data, and potentially compromising the entire environment. The vulnerability stems from the /pair approve command not properly validating the caller's scopes during the approval process, allowing a less privileged user to request and obtain broader permissions.
Exploitation Context
CVE-2026-33579 was publicly disclosed on 2026-03-31. The vulnerability's criticality (CVSS 9.5) indicates a high probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the ease of exploitation given pairing privileges suggests potential for rapid development of such tools. It is not currently listed on CISA KEV.
Threat Intelligence
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-33579 is to upgrade OpenClaw to version 2026.3.28 or later. This version includes a fix that correctly forwards caller scopes during the device approval process, preventing unauthorized privilege escalation. If an immediate upgrade is not feasible, consider implementing stricter access controls to limit the scope of pairing privileges. While a direct workaround is not available, reviewing and restricting device pairing requests can reduce the attack surface. After upgrading, confirm the fix by attempting to approve a device request with a non-admin user and verifying that the request is denied.
How to fix
Update OpenClaw to version 2026.3.28 or higher to mitigate the privilege escalation vulnerability. The update corrects the missing caller scope validation in the device approval process, preventing users with pairing privileges from exploiting the vulnerability to gain administrative access.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2026-33579 — Authorization Bypass in OpenClaw?
CVE-2026-33579 is a critical authorization bypass vulnerability in OpenClaw affecting versions up to 2026.3.24. It allows users with pairing privileges to potentially gain admin access.
Am I affected by CVE-2026-33579 in OpenClaw?
You are affected if you are using OpenClaw version 2026.3.24 or earlier. Upgrade to version 2026.3.28 or later to mitigate the risk.
How do I fix CVE-2026-33579 in OpenClaw?
Upgrade OpenClaw to version 2026.3.28 or later. This version includes the necessary fix to prevent unauthorized scope elevation.
Is CVE-2026-33579 being actively exploited?
While no public exploits are currently known, the vulnerability's criticality and ease of exploitation suggest a potential for active exploitation.
Where can I find the official OpenClaw advisory for CVE-2026-33579?
Refer to the OpenClaw project's official security advisories and release notes for details on CVE-2026-33579 and the associated fix.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.