A high-severity remote code execution (RCE) vulnerability affects the OpenClaw npm package in versions up to 2026.3.28. Attackers with access to a device-paired node can bypass the node scope gate, exposing commands that lead to full host compromise. Maintainers confirmed the issue as real in shipped software and patched it in version 2026.3.31 via commit 3886b65ef21d02808c1a106fa1f9f69e22f71c32 on March 30, 2026.
OpenClaw handles node-based device pairing and control, likely for IoT or edge hardware setups where nodes interact with physical devices. The flaw lets a merely paired—but not fully authenticated—node skip isolation checks. This exposes sensitive node commands to unauthorized access, escalating to RCE on the host machine running the package. Reported by @AntAISecurityLab, the maintainers rated it “high” due to pairing prerequisites, not critical zero-click exploitation.
Vulnerability Mechanics
The core issue lies in flawed scope gating. OpenClaw enforces “node scope” to limit commands to properly paired nodes only. But the implementation fails to validate pairing depth: a device-paired node (basic hardware link) slips past checks meant for full node pairing (secure auth). Once past the gate, attackers issue arbitrary commands.
Exploitation path: Gain device-level access (e.g., via compromised firmware or physical proximity), pair the node, then send crafted requests bypassing scope. This triggers host RCE—executing shell commands or worse on the server hosting OpenClaw. No public PoC exists yet, but the triage notes it’s exploitable in v2026.3.28 as shipped.
Skeptically, this isn’t a supply-chain nightmare like recent npm incidents (e.g., ua-parser-js affecting 1M+ projects). OpenClaw’s niche use—under 10k weekly downloads per npm stats—limits blast radius. But in production device control (arcade machines? industrial claws?), it matters: one vuln’d node owns the host.
Affected Versions and Remediation
Vulnerable: All versions <= 2026.3.28.
Patched: >= 2026.3.31, with first stable tag v2026.3.31.
Upgrade immediately if you run OpenClaw:
npm install openclaw@latestVerify the fix commit:
git log --oneline 3886b65ef21d02808c1a106fa1f9f69e22f71c32Latest published: 2026.3.31. Audit your deps with npm audit or tools like Snyk. The advisory status remains “open,” so monitor the repo for updates.
Why This Matters
RCE via scope bypass underscores risks in device-node architectures. Developers assume pairing secures scopes, but weak validation turns “trusted” hardware links into backdoors. In security-sensitive setups—think crypto miners, ATMs, or remote claws—this escalates from device tamper to host takeover, data theft, or ransomware pivot.
Npm’s 2M+ packages amplify such flaws: 2024 saw 1,200+ high-sev vulns. OpenClaw’s future-dated versioning (2026?) suggests experimental or internal use, but shipped code demands patches. Implications for users: Rotate keys post-exposure, harden hosts with SELinux/AppArmor, segment nodes via VLANs.
Fair take: Maintainers acted fast (patch in days), crediting the finder. Not overhyped—prereqs curb mass exploits. Still, it exposes npm’s blind spots for hardware-interfacing libs. Check your stack; upgrade proactively. If you’re building node scopes, audit pairing logic rigorously—assume device access equals host risk.
