OpenClaw patched CVE-2026-33579 in version 2026.3.28 on March 29, fixing a privilege escalation vulnerability that allowed anyone with operator.pairing scope to silently approve device pairing requests for full operator.admin access. The CVE was listed on NVD two days later on March 31, per Blink’s technical analysis. Ars Technica published a detailed report on April 3 recommending that all OpenClaw users assume compromise.
The CVSS scores range from 8.1 (CVSS 3.1) to 8.6 (CVSS 4.0), according to VulnCheck’s NVD listing via RedPacket Security. Ars Technica’s Dan Goodin reported a range up to 9.8 depending on the metric used.
How the Bug Worked
The vulnerability sat in two files: extensions/device-pair/index.ts (the command handler for /pair approve) and src/infra/device-pairing.ts (the core approval function). When a user issued /pair approve, the command handler retrieved the device pairing request and called the core approval function, but never passed the caller’s security scopes into that function, according to Blink’s analysis.
The result: the approval function had no information about who was approving. It validated that the pairing request was well-formed and that the requested scopes were valid OpenClaw scopes. Since operator.admin is a valid scope, the request passed. No secondary exploit was needed. No user interaction was required beyond the initial pairing step.
“The word ‘privilege escalation’ undersells this: the outcome is full instance takeover,” Blink wrote. A compromised operator.admin device can read all connected data sources, exfiltrate credentials stored in the agent’s skill environment, execute arbitrary tool calls, and pivot to connected services.
63% of Exposed Instances Had No Authentication
The severity compounds because of how OpenClaw is deployed in practice. Blink reported that 63% of the 135,000 OpenClaw instances found exposed to the internet in a scan earlier this year were running without authentication. On those deployments, any network visitor could request pairing access and obtain operator.pairing scope without credentials, according to Ars Technica.
“The authentication gate that is supposed to slow down CVE-2026-33579 does not exist,” Blink wrote.
The two-day gap between the patch release (March 29) and the CVE listing (March 31) gave attackers a head start to exploit before most users would have known to update, Goodin noted in his Ars Technica report.
What to Do
The GitHub Security Advisory (GHSA-hc5h-pmr3-3497) credits AntAISecurityLab for the discovery. The fix in patch commit e403decb6e20091b5402780a7ccd2085f98aa3cd adds caller scopes to the approval function signature and enforces that requested device scopes are a strict subset of the caller’s own scopes, per Blink.
For builders running OpenClaw in production: update to 2026.3.28 immediately, inspect all /pair approval events in activity logs, and treat any deployment from the past month as potentially compromised. CVE-2026-33579 is distinct from the earlier CVE-2026-32922 (CVSS 9.9, patched in 2026.3.11). Patching 32922 does not cover 33579.