{"data":{"id":"775b34f7-29cf-424c-a492-8449d936774a","title":"GHSA-whf9-3hcx-gq54: OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing","summary":"OpenClaw's `device.token.rotate` function had a security flaw where it could create tokens with roles (sets of permissions) that hadn't been properly approved through the required pairing process, potentially letting users gain unauthorized access levels. This vulnerability only affects OpenClaw, which is a local assistant software that runs on a user's own device.","solution":"Update OpenClaw to version 2026.4.8 or later. The fix is available in the patched npm version and was merged into the main codebase at commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-whf9-3hcx-gq54","publishedAt":"2026-04-09T17:33:05.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":[],"issueType":"vulnerability","affectedPackages":["openclaw@< 2026.4.8 (fixed: 2026.4.8)"],"affectedVendors":[],"affectedVendorsRaw":["OpenClaw"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-09T17:33:05.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}