CVE-2026-41909: Incorrect Authorization in OpenClaw Device Pairing Vulnerability ID: GHSA-XRQ9-JM7V-G9H7 CVSS Score: 5.4 Published: 2026-04-25 The OpenClaw Agent Platform before version 2026.4.20 contains an incorrect authorization vulnerability (CWE-863) in its gateway pairing management module. A failure to distinguish between administrative operator sessions and device-level sessions allows compromised or malicious devices to view and manipulate pairing requests belonging to other devices within the same gateway scope. TL;DR OpenClaw versions prior to 2026.4.20 fail to properly scope pairing RPC methods, allowing any device token with the operator.pairing scope to globally list, approve, or reject pairing requests for unrelated devices.…