CVE-2026-33575

HIGH

OpenClaw < 2026.3.12 - Long-lived Credential Exposure in Pairing Setup Codes

Title source: cna

Description

OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup codes generated by /pair endpoint and OpenClaw qr command. Attackers with access to leaked setup codes from chat history, logs, or screenshots can recover and reuse the shared gateway credential outside the intended one-time pairing flow.

References (2)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-7h7g-x2px-94hj

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-long-lived-credential-exposure-in-pairing-setup-codes

Scores

CVSS v3 7.5

EPSS 0.0004

EPSS Percentile 13.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-522

Status published

Products (3)

OpenClaw/OpenClaw < 2026.3.12

openclaw/openclaw < 2026.3.12

OpenClaw/OpenClaw 2026.3.12

Published Mar 29, 2026

Tracked Since Mar 29, 2026