OpenClaw, Improper Authorization, CVE-2026-41909 (Low)

Listen to this Post

The vulnerability stems from improper authorization in OpenClaw’s paired-device pairing management component. In affected versions (< 2026.4.20), a session from a paired device that holds only limited pairing scope can enumerate the global pairing state of the gateway. This means the session can list all pending pairing requests across the whole gateway, not just those intended for the specific caller device.
Additionally, the same session can act on these unrelated pairing requests. For example, it can approve or reject pairing attempts that belong to other devices within the same gateway scope ceiling. The bug is not remotely exploitable or unauthenticated; it requires an attacker to already have a paired-device session on the gateway. The root cause is that the pairing management actions were not limited to the caller device, so there was no check to ensure the action was being performed on a request that originated from the same device.
The fix, implemented in commit 5a12f30441d5b0b151f550daa2c5c9e8db61e2e6, enforces that pairing management actions are limited to the caller device. Non-admin paired-device sessions can no longer approve or operate on unrelated pending device requests.

DailyCVE Form

Platform: `OpenClaw`
Version: `< 2026.4.20` Vulnerability: `Improper Authorization` Severity: `Low` Date: `2026-04-25`

Prediction: `2026-04-20`

What Undercode Say:

Check current OpenClaw version
openclaw --version
Update to patched version (2026.4.20 or later)
npm update -g openclaw
Verify the fix is applied
openclaw --version | grep -q "2026.4.20" && echo "Fixed" || echo "Vulnerable"
Example node script demonstrating the vulnerable state (conceptual)
const { gateway } = require('openclaw');
const session = gateway.authenticateAsPairedDevice({ scope: 'pairing' });
// This should fail, but in vulnerable versions it listed all global pending requests
const pending = session.listPairingRequests({ all: true });

Exploit:

An attacker with an existing paired-device session (even a low-privilege one) can call pairing management APIs without the proper caller-device check. By enumerating all pending pairing requests, the attacker can approve a request from a different device, granting that device access to the gateway. The attacker does not need admin privileges and the action is performed within the same gateway, making it difficult to detect.

Protection from this CVE

Upgrade to OpenClaw version `2026.4.20` or later immediately. If an immediate upgrade is not possible, restrict network access to the gateway’s pairing management interface and monitor for unexpected pairing approvals. The fix is included in the official release and no workarounds are available for earlier versions.

Impact

A low‑severity authorization bypass that allows a paired device with only pairing scope to interfere with other devices’ pairing processes. The impact is limited to the same gateway and requires prior access. However, in multi‑tenant or shared environments, this could lead to unauthorized device admission or denial of legitimate pairing attempts.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top