GHSA-gg9v-mgcp-v6m7

Source

https://github.com/advisories/GHSA-gg9v-mgcp-v6m7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-gg9v-mgcp-v6m7/GHSA-gg9v-mgcp-v6m7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gg9v-mgcp-v6m7

Downstream

MINI-c4cf-3rg4-6vvj

Published

2026-04-03T03:19:33Z

Modified

2026-04-03T03:33:31.323144Z

Severity

8.6 (High) CVSS_V4 - CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N CVSS Calculator

Summary

OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing

Details

Summary

Bootstrap setup codes were not bound to the intended device role and scopes, allowing first-use privilege escalation during pairing.

Current Maintainer Triage

Status: open
Normalized severity: high
Assessment: Real first-use bootstrap privilege-escalation bug fixed and shipped in v2026.3.22+, so keep open for publication with current severity.

Affected Packages / Versions

Package: openclaw (npm)
Latest published npm version: 2026.3.31
Vulnerable version range: <=2026.3.13-1
Patched versions: >= 2026.3.22
First stable tag containing the fix: v2026.3.22

Fix Commit(s)

a600c72ed7d0045a27f58bf031d2b36ecb0141c9 — 2026-03-22T23:57:15-07:00

OpenClaw thanks @tdjackey for reporting.

Database specific

{
    "cwe_ids": [
        "CWE-269"
    ],
    "github_reviewed_at": "2026-04-03T03:19:33Z",
    "nvd_published_at": null,
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

npm / openclaw

Package

Name: openclaw; View open source insights on deps.dev
Purl: pkg:npm/openclaw

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2026.3.22

Database specific

last_known_affected_version_range

"<= 2026.3.13-1"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-gg9v-mgcp-v6m7/GHSA-gg9v-mgcp-v6m7.json"