GHSA-63f5-hhc7-cx6p: OpenClaw bootstrap setup codes could be replayed to escalate pending pairing scopes before approval

March 16, 2026

openclaw versions <= 2026.3.12 allowed bootstrap setup codes to be replayed before approval, which could widen the scopes on a pending device pairing request.

References

github.com/advisories/GHSA-63f5-hhc7-cx6p
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/1803d16d5cec970c54b0e1ac46b31b1cbade335c
github.com/openclaw/openclaw/security/advisories/GHSA-63f5-hhc7-cx6p

Code Behaviors & Features

Detect and mitigate GHSA-63f5-hhc7-cx6p with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →