CVE-2026-53843: OpenClaw: Pairing-scoped device session could restore revoked node token authority

June 18, 2026

In affected releases, a surviving pairing-scoped session for a device could re-establish node token authority after that node token had been revoked. Revocation should require the device to lose that authority unless it is approved again through the normal pairing flow.

This issue affects token revocation and device-role containment. It does not allow unauthenticated device creation.

References

github.com/advisories/GHSA-q99w-vh6v-q3v7
github.com/openclaw/openclaw/security/advisories/GHSA-q99w-vh6v-q3v7
nvd.nist.gov/vuln/detail/CVE-2026-53843
www.vulncheck.com/advisories/openclaw-node-token-revocation-bypass-via-pairing-scoped-device-session

Code Behaviors & Features

Detect and mitigate CVE-2026-53843 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →