Developers of the popular AI tool OpenClaw released patches for three high-severity vulnerabilities, including one that allowed attackers with basic pairing privileges to silently gain full administrative control. The flaw, tracked as CVE-2026-33579 and rated up to 9.8 out of 10 in severity, has raised alarms among security experts. Thousands of exposed instances may have been compromised unknowingly.
OpenClaw, an AI agentic tool launched in November that has amassed 347,000 stars on GitHub, enables users to automate tasks like file organization, research, and online shopping by granting it broad access to computers, apps such as Telegram, Discord, and Slack, network files, and user accounts. Earlier this week, its developers issued security patches addressing three critical issues amid ongoing warnings from security practitioners about the risks of such autonomous AI systems controlling sensitive resources. A Meta executive earlier this year banned the tool from work laptops, citing its unpredictability as a breach risk, with other managers issuing similar directives. > “The practical impact is severe,” researchers from AI app-builder Blink wrote. “An attacker who already holds operator.pairing scope—the lowest meaningful permission in an OpenClaw deployment—can silently approve device pairing requests that ask for operator.admin scope. Once that approval goes through, the attacking device holds full administrative access to the OpenClaw instance. No secondary exploit is needed. No user interaction is required beyond the initial pairing step.” CVE-2026-33579 stemmed from a flaw in the device's pairing function, which failed to verify the approving party's permissions, allowing well-formed requests to escalate privileges unchecked. Blink noted that 63 percent of 135,000 internet-exposed OpenClaw instances scanned earlier this year ran without authentication, enabling any network visitor to gain initial pairing access freely. Patches arrived Sunday, but the formal CVE listing came Tuesday, potentially giving attackers a two-day exploitation window. For organizations using OpenClaw company-wide, a compromised admin device could access all connected data, steal credentials, run arbitrary commands, and pivot to other services, amounting to full instance takeover. Experts urge users to review recent pairing logs and reassess the tool's risks versus benefits.
