GHSA-whf9-3hcx-gq54: OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing
mediumvulnerability
security
Source: GitHub Advisory DatabaseApril 9, 2026
Summary
OpenClaw's `device.token.rotate` function had a security flaw where it could create tokens with roles (sets of permissions) that hadn't been properly approved through the required pairing process, potentially letting users gain unauthorized access levels. This vulnerability only affects OpenClaw, which is a local assistant software that runs on a user's own device.
Solution / Mitigation
Update OpenClaw to version 2026.4.8 or later. The fix is available in the patched npm version and was merged into the main codebase at commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
Classification
Attack SophisticationModerate
Impact (CIA+S)
integrity
AI Component TargetedAgent
Affected Vendors
Affected Packages
openclaw@< 2026.4.8 (fixed: 2026.4.8)
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-whf9-3hcx-gq54
First tracked: April 9, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 75%