[GHSA-hc5h-pmr3-3497] OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation

[AntAISecurityLab]

Updates

• CVSS v4
• Severity

Comments
Severity: Critical (changed from High)

This advisory (GHSA-hc5h-pmr3-3497) is a regression of GHSA-hf68-49fm-59cq — same vuln class, same impact, just reopened through a code path (/pair approve) that the original fix didn't cover.

Both advisories share:

• Same root cause: caller scopes not forwarded during device pair approval
• Same impact: operator.pairing → operator.admin privilege escalation
• Same affected component: device-pairing.ts approval logic
• Same CWE class: incorrect authorization / improper privilege management

GHSA-hf68-49fm-59cq is rated Critical. A regression doesn't reduce impact — exploitability and consequences are the same. The only difference is the entry point (CLI /pair approve vs. RPC device.pair.approve), which doesn't change the severity of the privilege escalation.

This advisory should be aligned with GHSA-hf68-49fm-59cq at Critical to reflect the identical impact.

[github]

Hi there @steipete! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory