GHSA-7h7g-x2px-94hj: OpenClaw: Pairing setup codes exposed long-lived shared gateway credentials instead of short-lived bootstrap tokens

March 13, 2026

OpenClaw pairing setup codes generated by /pair and openclaw qr embedded the configured shared gateway token or password directly in the setup payload. Anyone who obtained that code from chat history, logs, screenshots, or copied QR payloads could recover the long-lived shared credential.

References

github.com/advisories/GHSA-7h7g-x2px-94hj
github.com/openclaw/openclaw
github.com/openclaw/openclaw/releases/tag/v2026.3.12
github.com/openclaw/openclaw/security/advisories/GHSA-7h7g-x2px-94hj

Code Behaviors & Features

Detect and mitigate GHSA-7h7g-x2px-94hj with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →