HIGH 8.8 npm
Duplicate Advisory: Pairing-scoped device session could restore revoked node token authority
GHSA-wrmq-9fc4-gwwj
Published · Modified
Description
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-q99w-vh6v-q3v7. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and maintaining unauthorized access longer than intended.
References
Ready to move
Start Securing
Free, no credit card | First findings in minutes