CVE-2026-53862

MEDIUM

OpenClaw < 2026.5.12 - Bootstrap Token Replay via Pending Pairing Scope Widening

Title source: cna
STIX 2.1

Description

OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access to reuse tokens with broader requested scopes. Attackers can replay bootstrap tokens before approval to escalate pairing authority beyond intended scope limits.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-9v8j-9c9g-w66c)
https://github.com/openclaw/openclaw/security/advisories/GHSA-9v8j-9c9g-w66c
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.5.12 - Bootstrap Token Replay via Pending Pairing Scope Widening
https://www.vulncheck.com/advisories/openclaw-bootstrap-token-replay-via-pending-pairing-scope-widening

Scores

CVSS v3 4.2
EPSS 0.0009
EPSS Percentile 0.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-266 CWE-345
Status published
Products (5)
npm/openclaw 0 - 2026.5.12npm
openclaw/openclaw 2026.5.12 beta1 (8 CPE variants)
OpenClaw/OpenClaw < 2026.5.12
openclaw/openclaw < 2026.5.12
OpenClaw/OpenClaw 2026.5.12
Published Jun 16, 2026
Tracked Since Jun 17, 2026