GHSA-hf68-49fm-59cq: OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve

March 26, 2026

device.pair.approve allowed an operator.pairing approver to approve a pending device request for broader operator scopes than the approver actually held.

References

github.com/advisories/GHSA-hf68-49fm-59cq
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4
github.com/openclaw/openclaw/security/advisories/GHSA-hf68-49fm-59cq

Code Behaviors & Features

Detect and mitigate GHSA-hf68-49fm-59cq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →