OpenClaw Bootstrap Replay Bug Enables Admin Takeover (CVE-2026-32987)

A critical vulnerability in OpenClaw's device pairing system allows attackers to replay bootstrap setup codes, escalating privileges to operator.admin level. CVE-2026-32987 carries a CVSS score of 9.8 and was publicly disclosed on March 29, 2026.

OpenClaw is an open-source framework for building and deploying AI agents. Organizations using it for automation workflows should patch immediately—the flaw requires no authentication and can be exploited remotely.

What's Vulnerable

The bug exists in src/infra/device-bootstrap.ts, where the system fails to properly invalidate bootstrap setup codes after their initial use during device pairing verification. An attacker with access to a valid bootstrap code can submit it repeatedly before the system finalizes the pairing, with each successful replay cumulatively elevating privileges.

The attack is straightforward: capture a valid bootstrap code (through network sniffing, log access, or social engineering), then hammer the verification endpoint with that code during the critical pairing window. The code should be single-use, but the implementation doesn't enforce it.

This vulnerability pattern—where single-use tokens aren't actually invalidated—has appeared elsewhere. We saw similar authentication weaknesses in LangChain/LangGraph just days ago, suggesting that AI framework developers may be underestimating the security rigor required for production deployments.

Impact

Successful exploitation grants attacker-controlled devices operator.admin privileges within the OpenClaw deployment. From there, an attacker can:

• Read and modify agent configurations
• Access connected data sources and APIs
• Deploy malicious agent behaviors
• Exfiltrate data processed by AI workflows

Given OpenClaw's role in connecting AI agents to enterprise systems, compromise here could cascade into broader infrastructure access. Organizations have increasingly woven AI agents into critical workflows, making frameworks like OpenClaw attractive targets.

Who's Affected

All OpenClaw versions before 2026.3.13 are vulnerable. The vulnerability specifically impacts deployments where:

• Device pairing is enabled
• Bootstrap codes are distributed to users or systems
• The pairing verification window is accessible over the network

Default configurations that rely on bootstrap pairing are at risk. Organizations running OpenClaw in air-gapped environments or with pairing disabled may have reduced exposure, but should still patch.

Remediation

Upgrade OpenClaw to version 2026.3.13 or later. The fix adds proper code invalidation after first use and implements rate limiting on the verification endpoint.

If immediate patching isn't possible:

1. Disable device pairing temporarily until you can update
2. Audit recent pairings for any suspicious patterns (multiple successful verifications with the same code)
3. Rotate any bootstrap codes that may have been exposed
4. Review operator.admin accounts for unauthorized additions

The Bigger Picture

This disclosure follows a rough stretch for AI framework security. Between the Langflow RCE that saw exploitation within 20 hours of disclosure and ongoing supply chain attacks targeting AI tooling, the AI development ecosystem is demonstrating that rapid innovation often outpaces security maturity.

Organizations deploying AI agents should treat these frameworks with the same security scrutiny they'd apply to any internet-facing application—because increasingly, that's exactly what they are.