⚠ Withdrawn by GitHub Security Advisories
Withdrawn: June 18, 2026
GHSA-wrmq-9fc4-gwwjHighCVSS 8.8Disclosed before NVD
Duplicate Advisory: Pairing-scoped device session could restore revoked node token authority
📋 Description
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-q99w-vh6v-q3v7. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and maintaining unauthorized access longer than intended.
🎯 Affected products1
- npm/openclaw:< 2026.5.26