GHSA-gg9v-mgcp-v6m7: OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing

April 3, 2026

Bootstrap setup codes were not bound to the intended device role and scopes, allowing first-use privilege escalation during pairing.

References

github.com/advisories/GHSA-gg9v-mgcp-v6m7
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/a600c72ed7d0045a27f58bf031d2b36ecb0141c9
github.com/openclaw/openclaw/security/advisories/GHSA-gg9v-mgcp-v6m7

Code Behaviors & Features

Detect and mitigate GHSA-gg9v-mgcp-v6m7 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →