CVE-2026-33575
HIGHOpenClaw < 2026.3.12 - Long-lived Credential Exposure in Pairing Setup Codes
Title source: cnaDescription
OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup codes generated by /pair endpoint and OpenClaw qr command. Attackers with access to leaked setup codes from chat history, logs, or screenshots can recover and reuse the shared gateway credential outside the intended one-time pairing flow.
References (2)
Core 2
Core References
Third Party Advisory third-party-advisory
GitHub Security Advisory (GHSA-7h7g-x2px-94hj)
https://github.com/openclaw/openclaw/security/advisories/GHSA-7h7g-x2px-94hj
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.3.12 - Long-lived Credential Exposure in Pairing Setup Codes
https://www.vulncheck.com/advisories/openclaw-long-lived-credential-exposure-in-pairing-setup-codes
Scores
CVSS v3
7.5
EPSS
0.0025
EPSS Percentile
15.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-522
Status
published
Products (3)
OpenClaw/OpenClaw
< 2026.3.12
openclaw/openclaw
< 2026.3.12
OpenClaw/OpenClaw
2026.3.12
Published
Mar 29, 2026
Tracked Since
Mar 29, 2026