Back to blog On this page CVE-2026-33579: OpenClaw Privilege Escalation Fix Guide CVE-2026-33579 is a privilege escalation vulnerability in OpenClaw before 2026.3.28 that lets any attacker with pairing access silently gain full admin control over your instance. The root cause: the /pair approve command path fails to forward the caller's security scopes into the core authorization check. Fix: update to OpenClaw 2026.3.28 immediately. This guide explains the bug mechanics, the full upgrade path, and how to detect whether your instance was already exploited. Published 2026-04-01. Update this article when a public PoC is released. What Is CVE-2026-33579 and Why Does It Matter for OpenClaw Users? CVE-2026-33579 is a CWE-863 (Incorrect Authorization) vulnerability in OpenClaw, assigned a CVSS 4.0 score of 8.6 HIGH (vector: AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N ) and a CVSS 3.1 score of 8.1 HIGH . According to VulnCheck (who published CVE-2026-33579 to NVD on March 31, 2026), the vulnerability was patched in OpenClaw 2026.3.28 released March 29, 2026. The NVD listed the CVE on 2026-03-31; the fix landed two days earlier in the OpenClaw 2026.3.28 release on March 29, 2026. The GitHub Security Advisory is GHSA-hc5h-pmr3-3497 . Credit for discovery goes to AntAISecurityLab. The practical impact is severe: an attacker who already holds operator.pairing scope — the lowest meaningful permission in an OpenClaw deployment — can silently approve device pairing requests that ask for operator.admin scope. Once that approval goes through, the attacking device holds full administrative access to the OpenClaw instance. No secondary exploit is needed. No user interaction is required beyond the initial pairing step. For organizations running OpenClaw as a company-wide AI agent platform, a compromised operator.admin device can read all connected data sources, exfiltrate credentials stored in the agent's skill environment, execute arbitrary tool calls, and pivot to other connected services. The word "privilege escalation" undersells this: the outcome is full instance takeover. CVE-2026-33579 is distinct from the companion CVE-2026-32922 (CVSS 9.9 CRITICAL) that was fixed in 2026.3.11. If you patched 32922 but have not yet updated to 2026.3.28, your instance is still vulnerable to 33579. How Does the /pair approve Privilege Escalation Actually Work? The bug lives at the intersection of two files in the OpenClaw codebase: extensions/device-pair/index.ts — the command handler for /pair approve src/infra/device-pairing.ts — the core approval function that executes the scope grant When a user or device issues /pair approve [request-id] , the command handler in extensions/device-pair/index.ts retrieves the device pairing request and calls the core approval function in src/infra/device-pairing.ts . The critical flaw: it does not pass the callerScopes (the security scopes of the person issuing the approve command) into that core function. The core approval function therefore has no information about who is approving — it only sees the device pairing request itself. It validates that the pairing request is well-formed and that the requested scopes are valid OpenClaw scopes. Since operator.admin is a valid scope, the request passes validation. Scope is granted. The intended authorization model requires that an approver can only grant scopes they themselves hold. Because callerScopes is never forwarded, that check never executes. Patch commit e403decb6e20091b5402780a7ccd2085f98aa3cd (merged in v2026.3.28 ) adds callerScopes to the approval function signature and enforces that the requested device scopes are a strict subset of the caller's own scopes. What Does the Attack Chain Look Like? Here is the full attack path, step by step: 1 Obtain operator.pairing access The attacker acquires an account or session with operator.pairing scope. On the 63% of exposed OpenClaw instances running without authentication, this step requires no credentials at all — the attacker connects and is assigned base pairing rights. 2 Create or intercept a device pairing request The attacker registers a new device and crafts a pairing request that specifies operator.admin as the desired scope. This is a normal part of the OpenClaw pairing flow — specifying desired scopes in a device registration request is expected behavior. 3 Issue /pair approve The attacker issues /pair approve [request-id] using their pairing-scoped session. The vulnerable code path processes the approval without checking whether the approver is authorized to grant operator.admin . 4 Attacker's device now holds operator.admin Approval succeeds. The attacker's device is now an admin. From this point, the attacker controls the full OpenClaw instance — all data, all connected services, all skills. No public proof-of-concept exploit exists as of the NVD publication date (2026-03-31). Security researchers recommend treating this as actively exploitable given the low complexity and the ex...