my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

OpenClaw's Sixth Pairing Bug in Six Weeks Is a Full Admin Takeover

John Z Black Apr 4, 2026 Vulnerabilities & Patching #openclaw #cve-2026-33579 #privilege-escalation #ai-agents #supply-chain

OpenClaw, the open-source AI agent platform with 347,000 GitHub stars, just patched a critical bug that lets anyone with the lowest access level become full admin. Complete control over every connected account, file, and messaging platform.

CVE-2026-33579. CVSS 4.0: 8.6 HIGH. The sixth pairing-related CVE in six weeks.

The bug is embarrassingly simple. When /pair approve runs, the handler doesn’t forward the caller’s permission scopes. A pairing-level user gets approved with admin privileges because the code just… doesn’t check. No memory corruption, no race condition. The permissions simply don’t get passed along.

Here’s the scary number: 63% of the 135,000+ publicly exposed OpenClaw instances run without any authentication at all. The CVE assumes “low privileges required” for exploitation. But when two-thirds of deployments don’t require any privileges, this is effectively unauthenticated remote admin takeover.

The patch (version 2026.3.28) dropped March 29. The NVD didn’t list it until March 31. Two days where the fix existed but most vulnerability scanners didn’t know about it. Automated scanning scripts started hitting exposed instances within hours of the NVD listing.

One critical CVE would be a bad day. Six in the same subsystem in six weeks is a design problem. The same boundary between the device-pair extension and the pairing infrastructure keeps failing to enforce permissions. That’s not bad luck. That’s architectural debt.

Update to 2026.3.28 now. Then assume compromise. Review pairing access, check connected accounts for unauthorized activity, and audit messaging logs. If your instance was publicly exposed without auth, treat it as a confirmed breach until proven otherwise.

AI agents are powerful because they connect to everything. That’s also why a single auth bug in an AI agent is worse than the same bug in almost any other software. The blast radius is your entire digital life.

Why security researchers say OpenClaw users should assume they’ve been compromised