GHSA-7H7G-X2PX-94HJ: Credential Exposure in OpenClaw Device Pairing

The OpenClaw ecosystem utilizes a central Gateway architecture to connect various interfaces, such as mobile applications, CLI tools, and web chat clients. This connection is established through a device pairing mechanism that generates setup codes or QR codes via the /pair endpoint or the openclaw pairing qr command. These codes facilitate the initial authentication handshake between the new device and the Gateway.

Prior to version v2026.3.12, the system exhibited an insufficiently protected credentials vulnerability (CWE-522) in this pairing mechanism. The generated setup codes directly embedded long-lived, shared gateway credentials instead of utilizing ephemeral, single-use bootstrap tokens. This architectural decision inherently linked the security of the permanent authentication token to the physical and logical security of the pairing QR code.

Consequently, any unauthorized actor who successfully intercepts the pairing code obtains the master configuration token for the Gateway. This allows the attacker to silently authenticate their own client interfaces and maintain persistent access to the victim's environment, exposing sensitive AI agent configurations and historical data.

The vulnerability stems from a failure to implement a multi-stage authentication protocol during device enrollment. When a user requests a new pairing code, the Gateway serializes the primary, persistent configuration token directly into the payload of the setup string or QR code. The system makes no distinction between an enrollment token and a session token.

This implementation violates the principle of least privilege and secure token lifecycle management. Secure pairing protocols mandate the use of short-lived bootstrap tokens that are strictly tied to a brief time window and exist solely to facilitate a cryptographic exchange. In OpenClaw's vulnerable state, the generated code bypassed this exchange entirely, distributing the root authentication material directly.

Because the embedded token is shared across the Gateway and lacks an inherent expiration mechanism, the credential remains valid indefinitely. The system provides no automatic mechanism to detect or invalidate tokens that have been exposed during the pairing phase, forcing reliance on manual administrative rotation to terminate unauthorized sessions.

Analysis of the vulnerable implementation reveals that the /pair endpoint directly queried the Gateway's active configuration object and extracted the long-lived authentication token. This token was then concatenated into the pairing URI schema and rendered into the final QR code output.

// Vulnerable Implementation (Pre-v2026.3.12)
function generatePairingCode() {
  const config = getGatewayConfig();
  // Directly embedding the persistent token
  const payload = `openclaw://pair?token=${config.masterAuthToken}`;
  return QRCode.generate(payload);
}

The security patch applied in version v2026.3.12 restructures this logic to introduce a bootstrap token generator. The patch removes the extraction of masterAuthToken and replaces it with a call to generateShortLivedBootstrapToken(), which creates a cryptographic nonce tied to a strict time-to-live (TTL) parameter, typically expiring within a few minutes.

// Patched Implementation (v2026.3.12)
function generatePairingCode() {
  // Generate a 60-second ephemeral token
  const bootstrapToken = generateShortLivedBootstrapToken({ expiresIn: 60 });
  const payload = `openclaw://pair?bootstrap=${bootstrapToken}`;
  return QRCode.generate(payload);
}

When a device connects using the patched implementation, it submits the bootstrapToken to the Gateway. The Gateway validates the token's expiration, issues a unique, per-device session credential, and immediately invalidates the bootstrap token. This ensures that even if the QR code is subsequently obtained by an attacker, the payload is cryptographically useless.

Exploitation of this vulnerability requires the attacker to intercept the setup code during the device pairing phase. This interception can occur via physical shoulder surfing, capturing a screenshot of the QR code, or intercepting the string if it is transmitted over insecure out-of-band channels. The attack does not require prior authentication or network access to the Gateway.

Once the setup code is acquired, the attacker utilizes standard OpenClaw client tools to process the payload. By scanning the intercepted QR code or manually inputting the setup string into their own OpenClaw CLI or mobile application, the attacker's client automatically extracts the persistent token and initializes a connection to the victim's Gateway.

The Gateway processes the incoming connection as a legitimate, fully authenticated session because the provided credential exactly matches the master configuration token. The attacker's client receives the same administrative capabilities as the victim's primary device, allowing immediate interaction with the connected AI services and data repositories without triggering secondary authentication prompts.

Successful exploitation compromises the confidentiality and integrity of the entire OpenClaw Gateway environment. The attacker gains unrestricted access to the user's personal AI ecosystem, which fundamentally relies on the aggregation of sensitive data to function correctly. This access is persistent and operates with the highest available privilege level within the application context.

The primary impact is the unauthorized exposure of third-party API keys integrated into the Gateway, such as those for OpenAI, Anthropic, or local LLM instances. Furthermore, the attacker gains read-access to all historical chat logs, sensitive prompt engineering data, and customized agent configurations, leading to a complete breach of data confidentiality.

The persistence mechanism significantly amplifies the severity of the vulnerability. Because the attacker holds the long-lived master credential, their access survives application restarts, client disconnections, and legitimate device additions. Unless the victim explicitly monitors active pairings via the CLI and manually rotates the primary configuration token, the attacker maintains covert access indefinitely.

To remediate this vulnerability, administrators and users must upgrade the openclaw npm package to version v2026.3.12 or later. This update replaces the flawed pairing logic with the secure, short-lived bootstrap token exchange mechanism. The upgrade process is straightforward and can be executed via standard package managers (npm install -g openclaw@latest).

Upgrading the software alone is insufficient to secure previously compromised deployments. Because the vulnerability exposed the long-lived token itself, users must manually initiate a credential rotation on the Gateway after applying the patch. This action invalidates the old master configuration token and terminates any existing unauthorized sessions that rely on it.

As an ongoing operational security practice, users must execute the device pairing process exclusively in secure, private environments. Generating and displaying QR codes in public spaces or transmitting setup strings over unencrypted communication channels introduces unnecessary risk, even with the updated ephemeral token architecture in place.