CVE-2026-41386: OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing
(updated )
Bootstrap setup codes were not bound to the intended device role and scopes, allowing first-use privilege escalation during pairing.
References
- github.com/advisories/GHSA-gg9v-mgcp-v6m7
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/a600c72ed7d0045a27f58bf031d2b36ecb0141c9
- github.com/openclaw/openclaw/security/advisories/GHSA-gg9v-mgcp-v6m7
- nvd.nist.gov/vuln/detail/CVE-2026-41386
- www.vulncheck.com/advisories/openclaw-privilege-escalation-via-unbound-bootstrap-setup-codes
Code Behaviors & Features
Detect and mitigate CVE-2026-41386 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →