HIGHCVE-2026-33575Published 2026-03-29Modified 2026-03-30CNA VulnCheck

CVE-2026-33575: OpenClaw < 2026.3.12 - Long-lived Credential Exposure in Pairing Setup Codes

OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup codes generated by /pair endpoint and OpenClaw qr command. Attackers with access to leaked setup codes from chat history, logs, or screenshots can recover and reuse the shared gateway credential outside the intended one-time pairing flow.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: 2026.3.12
Affected Products: 1

Fix available

2026.3.12

Affected packages

OpenClaw / OpenClaw
< 2026.3.12 (from 0)
Fixed in 2026.3.12

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-7h7g-x2px-94hj)
VulnCheck Advisory: OpenClaw < 2026.3.12 - Long-lived Credential Exposure in Pairing Setup Codes

Metrics

Fix available