OpenClaw privilege escalation vulnerability
Summary
OpenClaw prior to 2026.3.28 contains a privilege escalation vulnerability in the /pair/approve path that allows a caller with pairing but without admin privileges to approve requests with admin-level scopes due to missing scope validation. The issue has a high severity with CVSS 4.0 base score of 8.1 (and various CVSS vectors), and is documented with multiple advisories and references, including NVD initial analysis dated 2026-04-01.