GHSA-xrq9-jm7v-g9h7: OpenClaw: Paired-device pairing actions were not limited to the caller device

April 25, 2026

A paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling.

This is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low.

References

github.com/advisories/GHSA-xrq9-jm7v-g9h7
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/5a12f30441d5b0b151f550daa2c5c9e8db61e2e6
github.com/openclaw/openclaw/security/advisories/GHSA-xrq9-jm7v-g9h7

Code Behaviors & Features

Detect and mitigate GHSA-xrq9-jm7v-g9h7 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →