When /pair approve Bypasses the Scope Guard | EndigestGet the latest tech trends every morning
Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.
A CVSS 9.9 privilege escalation vulnerability in OpenClaw's device pairing system where the /pair approve slash command bypasses scope authorization.
- •The core approveDevicePairing function enforces scope checks via an optional callerScopes parameter, rejecting callers without sufficient scope
- •The /pair approve slash command performs only a coarse scope check and calls approveDevicePairing without passing callerScopes
- •When callerScopes is absent, the core function skips enforcement, trusting the caller implicitly
- •An operator with only operator.pairing scope can approve a request granting operator.admin, completing full privilege escalation
- •The fix is 8 lines: pass callerScopes through the slash command path and add a corresponding test
This summary was automatically generated by AI based on the original article and may not be fully accurate.
The Hacker News