CVE-2026-32987 — AI Deep Analysis Summary

🚨 **Essence**: OpenClaw has a **Replay Attack** flaw during device pairing.…

🛡️ **Root Cause**: **CWE-294** (Capture and Replay). The system fails to validate the uniqueness/timestamp of the **bootstrap setup code** during the pairing handshake, allowing reuse.

📦 **Affected**: **OpenClaw** (Open-source AI Assistant). Specifically versions **before 2026.3.13**. If you are running an older build, you are vulnerable.

🔓 **Impact**: Full **Privilege Escalation**. Hackers can gain **operator.admin** rights. This means High Confidentiality, Integrity, and Availability impact (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

⚡ **Threshold**: **LOW**. CVSS indicates **Network** accessible, **Low** complexity, **No** Privileges required, **No** User Interaction needed. It is an easy target for remote attackers.

💣 **Public Exploit**: **No**. The `pocs` array is empty. No Proof-of-Concept code is currently available in the wild, but the logic is clear.

🔍 **Self-Check**: Check your OpenClaw version. If it is **< 2026.3.13**, you are at risk. Monitor logs for repeated, identical **bootstrap setup codes** during pairing attempts.

✅ **Fix**: **Yes**. Patched in version **2026.3.13**. See GitHub Advisory **GHSA-63f5-hhc7-cx6p** and Commit **1803d16** for the official fix details.

🚧 **Workaround**: If you cannot patch immediately, **disable remote device pairing** or restrict network access to the pairing interface. Implement strict rate-limiting on bootstrap code submissions.

🔥 **Urgency**: **CRITICAL**. Due to **No Auth** requirement and **Admin** escalation potential, patch immediately. Do not wait for an exploit to appear.