OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue…

OpenClaw versions before 2026.5.4 contain a critical authorization bypass vulnerability in the device-pair plugin. The flaw allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can exploit this to create setup codes for enrolling devices with elevated operator/node capabilities. This grants persistent unauthorized credentials that remain active until manual removal by administrators. The vulnerability affects the bundled device-pair plugin and represents a significant security risk for OpenClaw deployments.