Mastodawn

I'm trying to understand a bit more about CVE-2026-33579, the critical vulnerability in OpenClaw. To exploit, an attacker needs low-level paring privilege permissions. How does one acquire such privileges? Can anyone do it? I'm asking because I want to understand what's required for an attacker to exploit.

Feel free to ping me at DanArs.82, or drop an answer here.

Show thread

Viss 20h ago

@dangoodin so this is a privesc bug. it suggests that a lower privileged user has the ability to pair new stuff to the bot.

but most people dont appear to really be using that functionality? most bots are 1:1 in terms of ownership - one bot to one person.

but this bug can be used by one existing paired channel (email, telgram, discord, twitter, whatever) to create a new one.

so its plausible that an attacker could just dm the owner the right way to pair something THEY control

Show thread

Viss

@dangoodin and this is before even getting into the fact that there are hundreds of thousands of these bots exposed to the internet already, many with zero auth, so you could just take the bot over that way directly, or use the pairing command to pair something you control to the bot so you're not using its web interface to drive it around.

Show thread

Viss 20h ago

@dangoodin at the end of the day, the bot is very literally RCE as a service.
you send the bot a message to do something
the bot has access to a command line
it does what you want (maybe?)
it returns the output via the channel youve setup (also maybe?)

so at the end of the day
any possible way that you can interact with the bot will result in access to having your desired commands run

conteptually, openclaw is RCE with a universal adapter glued to the front

Show thread

Michael Weiss 20h ago

@Viss @dangoodin what could possibly go wrong?

Show thread

Viss 16h ago

@mweiss @dangoodin