CVE-2026-41909
OpenClaw < 2026.4.20 - Improper Authorization in Paired-Device Pairing Actions
CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th
OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers with paired-device access can approve or operate on unrelated pending device requests within the same gateway scope.
| CWE | CWE-863 |
| Vendor | openclaw |
| Product | openclaw |
| Published | Apr 23, 2026 |
| Last Updated | Apr 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for openclaw openclaw
Be the first to know when new medium vulnerabilities affecting openclaw openclaw are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
OpenClaw / OpenClaw
0 < 2026.4.20
References
github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-xrq9-jm7v-g9h7 github.com: https://github.com/openclaw/openclaw/commit/5a12f30441d5b0b151f550daa2c5c9e8db61e2e6 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-improper-authorization-in-paired-device-pairing-actions
Credits
Chia Min Jun Lennon Hinotobi (@Hinotoi-agent)