Cyber Resilience

CVE-2026-33579

CriticalPublic PoC

Published: 31 March 2026

Published
31 March 2026
Modified
06 April 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0062 45.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33579 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 45.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33579 is a privilege escalation vulnerability in OpenClaw versions before 2026.3.28. The flaw occurs in the /pair approve command path, which fails to forward caller scopes into the core approval check due to missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts. It has been classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-03-31.

A remote attacker with low privileges, specifically pairing privileges but without admin access, can exploit this vulnerability to approve pending device pairing requests that demand broader scopes, including admin privileges. This enables full privilege escalation, granting high-impact confidentiality, integrity, and availability compromise across a changed scope with low attack complexity and no user interaction.

Mitigation is addressed in OpenClaw 2026.3.28 via a patch in commit e403decb6e20091b5402780a7ccd2085f98aa3cd, as detailed in the GitHub security advisory GHSA-hc5h-pmr3-3497 and the VulnCheck advisory on the privilege escalation via missing caller scope validation in device pair approval.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking…

more

for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Explicit privilege escalation vulnerability via missing scope validation and incorrect authorization (CWE-863) in device pairing approval, allowing low-privileged attackers to gain admin-level access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42429Same product: Openclaw Openclaw
CVE-2026-32915Same product: Openclaw Openclaw
CVE-2026-33577Same product: Openclaw Openclaw
CVE-2026-41404Same product: Openclaw Openclaw
CVE-2026-41344Same product: Openclaw Openclaw
CVE-2026-42432Same product: Openclaw Openclaw
CVE-2026-32918Same product: Openclaw Openclaw
CVE-2026-41371Same product: Openclaw Openclaw
CVE-2026-41379Same product: Openclaw Openclaw
CVE-2026-32972Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.3.28

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the failure to enforce caller scopes in the device pairing approval path, preventing unauthorized privilege escalation.

prevent

Enforces least privilege to restrict pairing users from approving admin scopes, limiting escalation potential despite flawed enforcement.

preventrecover

Requires timely remediation of the specific code flaw in extensions/device-pair/index.ts and src/infra/device-pairing.ts via patching as done in OpenClaw 2026.3.28.

References