How is CVE-2026-32905 exploited?

Network reachability (required): The attacker must reach the OpenClaw chat command interface over the network (AV:N). Authentication (required): A low-privilege authorized chat-sender account is sufficient; owner privileges are not needed (PR:L). Victim interaction (not-required): No user has to click or approve anything; the bootstrap code is issued on demand (UI:N). Attack complexity (info): Attack complexity is low: the exploit is a direct chat command with no race or environmental preconditions (AC:L).

What is the impact of CVE-2026-32905?

Issues device-pairing bootstrap codes and enrolls attacker-controlled devices with operator or node capabilities. Obtains persistent credentials that remain valid until an administrator manually removes the rogue device. Reads data accessible to operator/node-scoped devices and modifies state through those same capabilities (VC:H, VI:H). Can cause limited availability disruption to the affected OpenClaw instance through abusive device enrollment (VA:L).

Back to search

HIGHCVE-2026-32905Published 2026-05-29Modified 2026-05-29CNA VulnCheck

CVE-2026-32905: OpenClaw < 2026.5.4 - Unauthorized Device-Pairing Bootstrap Code Issuance via Chat Command

Q: What is CVE-2026-32905?

OpenClaw before 2026.5.4 has an authorization bypass in its bundled device-pair plugin: any chat sender with command access can issue device-pairing bootstrap codes without the scope check that should restrict the action to owners. A successful attacker enrolls new devices with operator or node capabilities, gaining persistent credentials that survive until an admin manually removes them. A patched-image rebuild at 2026.5.4 is available on HarborGuard for affected environments.

Q: How is CVE-2026-32905 fixed?

A patched-image rebuild at 2026.5.4 becomes available on HarborGuard for environments running an affected version. Customers with auto-remediation enabled get the rebuild, a regression-test run, and a PR opened against affected workloads.

OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup codes to enroll devices with operator/node capabilities, granting persistent credentials until manual removal.

HarborGuard Analysis

HarborGuard analysis

Synopsis

OpenClaw before 2026.5.4 has an authorization bypass in its bundled device-pair plugin: any chat sender with command access can issue device-pairing bootstrap codes without the scope check that should restrict the action to owners. A successful attacker enrolls new devices with operator or node capabilities, gaining persistent credentials that survive until an admin manually removes them. A patched-image rebuild at 2026.5.4 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against OpenClaw images in customer registries and CI pipelines, including custom-built images that bundle OpenClaw as a layer.

Available

Triage

Triage capability scores this at CVSS 8.7 (High) using the published v4.0 vector, then re-weights against each customer org's compliance policy so that, for example, environments where the chat surface is internet-exposed escalate faster than isolated lab deployments. Findings route to the OpenClaw or platform-security inbox configured for that org.

Available

Patch

A patched-image rebuild at 2026.5.4 becomes available on HarborGuard for environments running an affected version. Customers with auto-remediation enabled get the rebuild, a regression-test run, and a PR opened against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the OpenClaw chat command interface over the network (AV:N).
AuthenticationRequired
A low-privilege authorized chat-sender account is sufficient; owner privileges are not needed (PR:L).
Victim interactionNot required
No user has to click or approve anything; the bootstrap code is issued on demand (UI:N).
Attack complexityDetail
Attack complexity is low: the exploit is a direct chat command with no race or environmental preconditions (AC:L).

Blast Radius

Issues device-pairing bootstrap codes and enrolls attacker-controlled devices with operator or node capabilities.
Obtains persistent credentials that remain valid until an administrator manually removes the rogue device.
Reads data accessible to operator/node-scoped devices and modifies state through those same capabilities (VC:H, VI:H).
Can cause limited availability disruption to the affected OpenClaw instance through abusive device enrollment (VA:L).

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at OpenClaw 2026.5.4 is published for affected environments, and customers with auto-remediation enabled receive the rebuilt image, an automated regression run, and a PR opened against workloads that pin an affected version. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments that cannot upgrade immediately, compensating-control guidance covers restricting chat command access to owner-scoped identities, network-policy isolation of the OpenClaw control plane, and auditing recently issued pairing codes to revoke any unrecognized device enrollments.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 2026.5.4
Affected Products: 1

Fix available

2026.5.4

Affected packages

OpenClaw / OpenClaw
< 2026.5.4 (from 0)
Fixed in 2026.5.4

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available