GHSA-67mf-f936-ppxf: OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval

April 9, 2026

OpenClaw node.pair.approve placed in operator.write scope instead of operator.pairing allows unprivileged pairing approval.

The pairing approval method accepted operator.write instead of the narrower pairing scope and admin requirement for exec-capable nodes.

OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

References

github.com/advisories/GHSA-67mf-f936-ppxf
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-67mf-f936-ppxf

Code Behaviors & Features

Detect and mitigate GHSA-67mf-f936-ppxf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →