📄 Description (English)
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts.
🤖 AI Executive Summary
OpenClaw versions before 2026.3.28 contain a critical privilege escalation vulnerability in the device pairing approval mechanism that allows users with limited pairing privileges to approve requests granting admin-level access. The vulnerability stems from missing scope validation in the approval workflow, enabling unauthorized privilege elevation. This poses significant risk to organizations using OpenClaw for device management and access control.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 26, 2026 09:03
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations in government (NCA, CITC), banking (SAMA-regulated institutions), and critical infrastructure sectors using OpenClaw for device management face significant risk. The vulnerability enables privilege escalation that could compromise administrative access controls, particularly impacting organizations with role-based access control (RBAC) implementations. Government agencies and financial institutions relying on OpenClaw for secure device pairing and approval workflows are most vulnerable to unauthorized admin access acquisition.
🏢 Affected Saudi Sectors
Government (NCA, CITC, Ministry of Interior)
Banking and Financial Services (SAMA-regulated)
Critical Infrastructure (Energy, Water, Utilities)
Healthcare (MOH, private hospitals)
Telecommunications (STC, Mobily, Zain)
Defense and Security
Enterprise IT Management
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.4
/ 10.0
🔧 Remediation Steps (English)
1. IMMEDIATE ACTIONS:
- Audit all device pairing approval logs for suspicious admin-level approvals from non-admin users
- Revoke any suspicious admin access granted through device pairing in the past 90 days
- Restrict device pairing approval permissions to verified admin accounts only
2. PATCHING:
- Upgrade OpenClaw to version 2026.3.28 or later immediately
- Apply patches to extensions/device-pair/index.ts and src/infra/device-pairing.ts
- Test patch deployment in staging environment before production rollout
3. COMPENSATING CONTROLS (if immediate patching not possible):
- Implement additional approval layer requiring separate admin verification for scope elevation requests
- Enable comprehensive audit logging for all device pairing approval activities
- Restrict device pairing approval functionality to dedicated admin accounts
- Implement scope validation at application entry points independent of approval module
4. DETECTION:
- Monitor for /pair approve command executions with scope elevation parameters
- Alert on admin-level scope approvals from non-admin user accounts
- Track device pairing requests requesting admin scopes and their approval status
- Review approval logs for users with pairing but not admin privileges approving elevated scopes
🔧 خطوات المعالجة (العربية)
1. الإجراءات الفورية:
- تدقيق جميع سجلات الموافقة على إقران الأجهزة للبحث عن موافقات مريبة على مستوى المسؤول من مستخدمين غير إداريين
- إلغاء أي وصول مريب على مستوى المسؤول تم منحه من خلال إقران الأجهزة في آخر 90 يوماً
- تقييد صلاحيات الموافقة على إقران الأجهزة للحسابات الإدارية المتحققة فقط
2. التصحيح:
- ترقية OpenClaw إلى الإصدار 2026.3.28 أو أحدث فوراً
- تطبيق التصحيحات على extensions/device-pair/index.ts و src/infra/device-pairing.ts
- اختبار نشر التصحيح في بيئة التجريب قبل نشره في الإنتاج
3. الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
- تنفيذ طبقة موافقة إضافية تتطلب التحقق الإداري المنفصل لطلبات تصعيد النطاق
- تفعيل تسجيل التدقيق الشامل لجميع أنشطة الموافقة على إقران الأجهزة
- تقييد وظيفة الموافقة على إقران الأجهزة للحسابات الإدارية المخصصة
- تنفيذ التحقق من النطاق في نقاط دخول التطبيق بشكل مستقل عن وحدة الموافقة
4. الكشف:
- مراقبة تنفيذ أوامر /pair approve مع معاملات تصعيد النطاق
- تنبيهات الموافقات على مستوى المسؤول من حسابات غير إدارية
- تتبع طلبات إقران الأجهزة التي تطلب نطاقات المسؤول وحالة موافقتها
- مراجعة سجلات الموافقة للمستخدمين الذين لديهم امتيازات إقران وليس إدارية يوافقون على نطاقات مرتفعة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policy (privilege escalation violates least privilege)
ECC 2024 A.5.2.1 - User Registration and De-registration (unauthorized privilege elevation)
ECC 2024 A.5.3.1 - User Access Rights (scope validation failure)
ECC 2024 A.8.2.1 - User Identification and Authentication (authorization bypass)
🔵 SAMA CSF
SAMA CSF ID.AM-1 - Asset Management (device access control)
SAMA CSF PR.AC-1 - Access Control Policy (privilege escalation prevention)
SAMA CSF PR.AC-4 - Access Rights and Privileges (scope validation)
SAMA CSF DE.CM-1 - Detection and Analysis (monitoring approval activities)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - User Access Management (privilege escalation)
ISO 27001:2022 A.5.3 - Access Control (scope validation)
ISO 27001:2022 A.8.2 - User Identification and Authentication (authorization)
ISO 27001:2022 A.8.3 - Access Rights (least privilege violation)
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Change default passwords and security parameters
PCI DSS 7.1 - Limit access to system components by business need-to-know
PCI DSS 8.2.1 - User identification and authentication mechanisms
🔗 References & Sources 3
🔗
https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd
disclosure@vulncheck.com
Patch
🔗
https://github.com/openclaw/openclaw/security/advisories/GHSA-hc5h-pmr3-3497
disclosure@vulncheck.com
Vendor Advisory
🔗
https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-missing-caller-s...
disclosure@vulncheck.com
Third Party Advisory
📦 Affected Products / CPE 1 entries
openclaw:openclaw