โ ๏ธ Action required if you're running OpenClaw before v2026.3.28
Run openclaw --version right now. If you're on anything older than v2026.3.28, update immediately. The vulnerability is exploitable with minimal access and leaves no obvious trace.
What Is CVE-2026-33579?
CVE-2026-33579 is a CWE-863 (Incorrect Authorization) vulnerability in OpenClaw, published to the NVD on March 31, 2026, and patched in v2026.3.28 two days earlier on March 29.
The root cause: the /pair approve command path fails to forward the caller's security scopes into the core authorization check. In plain English: when someone asks to pair a new device, the code that decides whether to approve it doesn't properly check what permissions the approver actually holds.
This means an attacker who already holds operator.pairing scope โ the lowest meaningful permission tier in OpenClaw โ can silently approve pairing requests that ask for operator.admin scope. Once approved, that device has full administrative access.
Who Is at Risk?
You're vulnerable if:
- You're running OpenClaw older than v2026.3.28
- You have any paired devices or have ever shared pairing access with anyone
- You use OpenClaw in a shared household, team, or organization where multiple people have pairing codes
You're less at risk (but should still update) if:
- Your OpenClaw instance runs completely isolated with no pairing, no gateway, and no external connections
- You are literally the only human who has ever touched the pairing flow
Why "basic pairing access" is lower than you think
Many OpenClaw operators share pairing QR codes with family members, teammates, or in online tutorials. Anyone who has ever scanned your pairing code has operator.pairing scope โ and could have exploited this before you patched.
What an Attacker Can Do With Full Admin Access
Once operator.admin scope is obtained, the attacker can:
- Read all connected data sources โ files, emails, calendar, anything your agent has access to
- Exfiltrate credentials โ API keys, OAuth tokens, and anything stored in your skill environment or
.envfile - Execute arbitrary tool calls โ run shell commands, send messages, make API calls as your agent
- Modify your agent's behavior โ change SOUL.md, AGENTS.md, and other config files to plant persistent backdoors
- Pivot to connected services โ Stripe, Calendly, Gmail, any integration your agent can reach
This is effectively full system compromise via the AI agent layer.
How to Check and Fix
Check your current version
Run openclaw --version in your terminal. You need v2026.3.28 or later. If you're on v2026.4.x you're already patched.
Update if needed
Run npm update -g openclaw to update to the latest version. As of April 4, 2026, the latest is v2026.4.2.
Audit your paired devices
Run openclaw devices list and review every paired device. Revoke any you don't recognize or that were paired by someone who shouldn't have admin access.
Rotate your API keys
If your instance was accessible to others (pairing, shared, or any period of public gateway exposure) before patching, treat your API keys as compromised. Rotate Anthropic/OpenAI keys and any third-party tokens in your environment.
Check for signs of exploitation
Look for unusual paired devices, unexpected files in your workspace, changes to config files (SOUL.md, AGENTS.md, skills), or unexpected API charges. The exploit leaves no obvious log entry by design.
Run openclaw doctor
Run openclaw doctor --fix to normalize your config. v2026.3.28 also dropped automatic config migrations older than 2 months โ the doctor fix will catch any issues with outdated config keys.
โ After patching to v2026.3.28+
The /pair approve authorization check is fixed. New pairing approvals correctly validate the approver's scope before granting elevated permissions. Already-escalated devices from before the patch are NOT automatically revoked โ you need to manually audit and revoke via step 3.
The Broader Pattern: OpenClaw's Security Track Record in 2026
CVE-2026-33579 is the third significant OpenClaw security issue in 2026:
- January 2026: CVE-2026-25253 โ one-click RCE via cross-site WebSocket hijacking (CVSS 8.8, patched in v2026.1.29)
- January 2026: Moltbook breach โ 1.5 million agent API tokens exposed via unsecured database
- March 2026: CVE-2026-33579 โ privilege escalation via /pair approve (CVSS 8.6, patched in v2026.3.28)
This isn't a reason to stop using OpenClaw โ it's genuinely the best AI agent platform available, and the team has patched each issue quickly. But it is a reason to take security seriously and treat your OpenClaw instance like the powerful system access tool it actually is.
Every one of these vulnerabilities was more dangerous because operators left setups misconfigured, unmonitored, and unpatched. The security risk isn't just in the code โ it's in how the instance is configured and maintained.
What's Changed in v2026.4.x (The Version You Should Be On)
While you're updating, here's what you're getting beyond the security patch:
- v2026.3.28: CVE-2026-33579 fix + dropped legacy config migrations (2+ months old configs now fail validation instead of silently rewriting)
- v2026.3.31: Node/exec architecture cleanup, Plugin SDK deprecation warnings
- v2026.4.1:
/taskschat-native background task board, SearXNG bundled web search, Amazon Bedrock Guardrails support - v2026.4.2: xAI/Grok plugin config migration (breaking โ run
openclaw doctor --fixif you use xAI)
If you're jumping from something older than v2026.3.28, run openclaw doctor --fix after updating to catch any config issues from the migration changes.
Not Sure If Your Setup Is Safe?
We'll audit your version, paired devices, API key hygiene, and gateway config. Written report delivered same day. If something's wrong, we'll tell you exactly how to fix it.
Book a $49 Security Audit โ45 min screen share ยท no upsell required ยท includes CVE-2026-33579 device audit
Related: The OpenClaw Security Wake-Up Call: What the Moltbook Breach Means for Your Setup