In openclaw versions up to and including 2026.3.12, device bootstrap codes could be replayed indefinitely against pending pairings, allowing an attacker who observed a code once to gain admin access at any time before the legitimate user completed pairing.
When a user initiated device pairing, OpenClaw issued a bootstrap code intended for single-use consumption by the paired device. In versions up to 2026.3.12, the server did not invalidate the code on use and did not bind it to a device fingerprint. An attacker who observed a bootstrap code (e.g., via screen-share, browser history, or a compromised clipboard manager) could replay it any time before the legitimate device completed pairing — or even after, in some edge cases — to claim the pending admin pairing for themselves. Exploitation required only network access to the target instance and a captured code.
The Actual Culprit
Bootstrap codes were treated as identifiers rather than capability tokens. No single-use enforcement, no device binding, no TTL below 'pairing window'.
Single-use, short TTL, and device-bound. Anything less is a bearer token, and bearer tokens leak.
If getting through pairing grants admin, pairing is an auth event. Defense-in-depth (MFA, out-of-band confirmation) belongs here.
Loading comments...