OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pai…

OpenClaw before version 2026.3.22 contains a privilege escalation vulnerability in its bootstrap setup process. The vulnerability occurs during device pairing when bootstrap setup codes are not properly bound to intended device roles and scopes. Attackers can exploit this weakness during first-use device pairing to escalate their privileges beyond their intended role and scope. This allows unauthorized access to higher-level system functions and potentially compromises the entire device security model. The vulnerability affects the initial setup phase making it particularly dangerous for new deployments.