{"data":{"id":"1550a4f2-0ff9-4ea8-a7f3-7f7355619be1","title":"GHSA-67mf-f936-ppxf: OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval","summary":"OpenClaw (a local AI assistant software) had a security bug where the `node.pair.approve` function checked for `operator.write` permissions instead of the more restrictive `operator.pairing` scope, allowing users without proper authorization to approve device pairing on executive-capable nodes. This vulnerability only affects OpenClaw in its single-user trust model and does not impact multi-tenant services.","solution":"Update OpenClaw to version 2026.4.8 or later. The fix is available in the npm package and has been verified in commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5 on the main branch.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-67mf-f936-ppxf","publishedAt":"2026-04-09T17:36:33.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["other"],"issueType":"vulnerability","affectedPackages":["openclaw@< 2026.4.8 (fixed: 2026.4.8)"],"affectedVendors":[],"affectedVendorsRaw":["OpenClaw"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-09T17:36:33.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}