GHSA-7h7g-x2px-94hj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7h7g-x2px-94hj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-7h7g-x2px-94hj/GHSA-7h7g-x2px-94hj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7h7g-x2px-94hj
- Downstream
- Published
- 2026-03-13T20:54:18Z
- Modified
- 2026-03-13T22:14:50.086419Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw: Pairing setup codes exposed long-lived shared gateway credentials instead of short-lived bootstrap tokens
- Details
-
Summary
OpenClaw pairing setup codes generated by
/pairandopenclaw qrembedded the configured shared gateway token or password directly in the setup payload. Anyone who obtained that code from chat history, logs, screenshots, or copied QR payloads could recover the long-lived shared credential.Impact
An attacker with access to a leaked setup code could reuse the shared gateway credential outside the intended one-time pairing flow.
Affected versions
openclaw<= 2026.3.11Patch
Fixed in
openclaw2026.3.12. Setup codes now carry short-lived bootstrap tokens that are only valid for the initial device bootstrap exchange. Update to2026.3.12or later and rotate any previously exposed shared gateway credentials if setup codes may have leaked. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-03-13T20:54:18Z", "cwe_ids": [ "CWE-532" ], "severity": "MODERATE", "nvd_published_at": null }- References
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw