New: Corgea AI Pentesting — autonomous penetration testing in hours, not weeks
HIGH 8.8 npm

Duplicate Advisory: Pairing-scoped device session could restore revoked node token authority

GHSA-wrmq-9fc4-gwwj

Published · Modified

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-q99w-vh6v-q3v7. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and maintaining unauthorized access longer than intended.

Ready to move

Start Securing

Free, no credit card | First findings in minutes