GoKawiilCVE-2026-33579 is actively exploitable and hits hard.
What happened: The /pair approve command doesn't check who is approving. So someone with basic pairing access (the lowest permission tier) can approve themselves for admin. That's it. Full instance takeover, no secondary exploit needed. CVSS 8.6 HIGH.
Why this matters right now:
Patch dropped March 29, NVD listing March 31. Two-day window for the vulns to spread before anyone saw it on NVD
135k+ OpenClaw instances are publicly exposed
63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain
The attack is trivial:
Connect to an unauthenticated OpenClaw instance → get pairing access (no credentials needed) Register a fake device asking for operator.admin scope Approve your own request with /pair approve [request-id] System grants admin because it never checks if you are authorized to grant admin You now control the entire instance — all data, all connected services, all credentials
Takes maybe 30 seconds once you know the gap exists.
What you need to do: