GHSA-4jpw-hj22-2xmc: OpenClaw: Pairing-scoped device tokens could mint `operator.admin` and reach node RCE

March 13, 2026

In affected versions of openclaw, a caller holding only operator.pairing could use device.token.rotate to mint a new token with broader scopes for an already paired device. If the target device was approved for operator.admin, the attacker could obtain an administrative token without already holding administrative scope.

References

github.com/advisories/GHSA-4jpw-hj22-2xmc
github.com/openclaw/openclaw
github.com/openclaw/openclaw/releases/tag/v2026.3.11
github.com/openclaw/openclaw/security/advisories/GHSA-4jpw-hj22-2xmc

Code Behaviors & Features

Detect and mitigate GHSA-4jpw-hj22-2xmc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →