Back to archive
5 public sources
Incident report

When OpenClaw Setup Codes Became a Trust Boundary

Setup Code Boundary

March 2026 pairing and bootstrap trust-boundary reset

OpenClaw

The memorable part of OpenClaw's March 2026 advisory cluster is not that pairing had bugs. It is that the QR and setup-code flow had been doing security work all along: moving authority from one screen to one device.

Opening quote
Once a setup artifact can leak durable auth or reopen a pending pairing, the onboarding screen is already part of access control.

The screenshot is the problem.

The QR code glows on a laptop, the phone is not nearby, someone grabs a screenshot “just for a minute,” drops it into chat, and moves on.

In OpenClaw’s March 13-14, 2026 advisory cluster, that ordinary move stopped looking like setup residue and started looking like an authority handoff.

The scene is banal because pairing rituals are supposed to feel banal. A terminal prints openclaw qr. A QR block appears. Someone forwards it from one screen to another, leaves it in Slack, tucks the digits into Notes, or retries after restarting the gateway. None of that feels dramatic if a setup code is only a delivery mechanism. It feels very different once the same path can expose long-lived auth material, preserve replayable pending state, or let a newly connected client arrive with more scope than the server should trust.

That is why this cluster matters. Not because OpenClaw had a rough security week, and not because three GitHub advisories happened to land back-to-back, but because all three pressed on the same moment: the instant a new device crosses from not trusted yet to inside the system.

In two March days, pairing changed meaning

The advisory pages are dry. Put side by side, they read like a product learning in public where its real perimeter is.

On March 13, 2026, GHSA-7h7g-x2px-94hj disclosed that generated setupCode values and pairing QR codes could expose long-lived gateway auth tokens. The fix shipped in 2026.3.12. That is the clearest rupture in the cluster: the supposedly temporary pairing artifact was carrying durable authority.

The same day, GHSA-rqpp-rjj8-7wv8 disclosed a different failure, also fixed in 2026.3.12. Device-less shared-token and password-authenticated WebSocket connections could declare scopes that were not being constrained tightly enough server-side. That issue sits slightly beside the QR artifact itself, but not beside the story. It lands in the same boundary zone: what a newly connected client can say it is allowed to do before identity and authority have been bound cleanly enough.

Then March 14 brought GHSA-63f5-hhc7-cx6p, fixed in 2026.3.13. Pending setup codes and QR pairing artifacts could be replayed before approval after a gateway restart because expiry and replay tracking lived only in memory. That is not a different genre of problem. It is the same handoff surface failing to stay one-time under restart pressure.

Three advisories. Three distinct bug classes. One pattern: pairing was carrying more authority than the UX language suggested.

The pairing ritual had been doing security work all along

Setup codes invite casual handling. They look like a TV login screen, not a credential ceremony. A person sees a QR square and a short code, assumes ephemerality, screenshots it, scrolls away, and thinks the serious part happens later. Products train that instinct every day.

The March 2026 cluster broke that instinct from multiple angles.

When the pairing artifact can reveal a long-lived gateway token, the “later” authority is already present at the beginning. When a pending setup can come back to life after a restart, the artifact is not behaving like a clean one-time handoff. When early shared-auth connections can arrive with scopes the server has not bound tightly enough, pairing is not just admitting a device. It is shaping what that device can become.

OpenClaw’s advisories do not use that language themselves, and that distinction matters. The sentence above is editorial interpretation, not quoted maintainer intent. The interpretation still stays inside the evidence. The cluster only makes full sense once the QR and setup-code path is treated as an access-control boundary rather than onboarding decoration.

The current docs read like a repaired handoff

The present-day docs tell the story from the other side of the break.

The openclaw qr docs describe the operator ritual plainly: run the command on the gateway, present a QR or setup code on one screen, scan or type it from the device, and exchange that temporary material for pairing approval. What matters is the term the docs now emphasize: the payload carries a short-lived bootstrapToken, not standing authority.

The gateway protocol docs then take over. During pairing, the device presents identity and the gateway verifies the challenge flow; after that handoff, the gateway issues a scoped device token. Those docs also describe the long-lived token as something operators can rotate or revoke later.

That is the architectural correction visible in public: temporary bootstrap material at the edge, device identity established during pairing, durable authority moved into a per-device scoped token only after the handoff succeeds.

This is more than implementation cleanup. It is a cleaner map of where trust is supposed to live.

What is documented, and what this page is inferring

The facts are strong enough to separate cleanly from the story’s interpretation.

Documented facts:

  • GHSA-7h7g-x2px-94hj and GHSA-rqpp-rjj8-7wv8 were published on March 13, 2026, and both list 2026.3.12 as the patched version.
  • GHSA-63f5-hhc7-cx6p was published on March 14, 2026, and lists 2026.3.13 as the patched version.
  • GHSA-7h7g-x2px-94hj says generated setup codes and QR pairing artifacts could expose long-lived gateway auth tokens.
  • GHSA-63f5-hhc7-cx6p says pending setup codes and QR pairing artifacts could be replayed before approval after a gateway restart because replay and expiry tracking was only in memory.
  • GHSA-rqpp-rjj8-7wv8 says some shared-token and password-authenticated WebSocket connections could retain self-declared elevated scopes.
  • The current openclaw qr docs describe setup codes as carriers of a short-lived bootstrapToken.
  • The current gateway protocol docs describe pairing as the point where a device receives a scoped long-term token that can later be rotated or revoked.

Bounded editorial inference:

  • The real significance of the March 13-14 cluster is that different bugs kept surfacing on the same authority handoff surface.
  • OpenClaw had to stop treating pairing language as mere convenience framing and start treating it as a real trust boundary.
  • The current docs read like the corrected boundary: bootstrap first, per-device scoped authority only after pairing completes.

That inference stays inside the record. It does not require guessing at hidden maintainer motives or undocumented architecture. It just takes the advisories seriously as a cluster rather than as isolated labels.

The least flashy advisory changes the whole reading

The long-lived-token disclosure is the one people remember first. The replay bug is the one that makes operators picture the gateway restart. GHSA-rqpp-rjj8-7wv8 is the advisory that keeps the story from shrinking into a simple “expire the code faster” moral.

Without it, the March episode could be told as a lesson about secret lifetime: do not leak bootstrap material, invalidate it correctly, move on. With it, the episode becomes about identity and inheritance too. The problem was not only that the wrong artifact might stay valid. The problem was that early trust and scope assignment around a new connection were not yet tight enough.

That is a more serious question, and a more durable one: not just “Can this setup code still be used?” but “What authority is the system willing to attach to a not-yet-fully-bound participant in the first place?”

Once that question enters the frame, pairing stops looking like a thin wrapper around the real system. It is the moment the real system begins.

The lesson travels

OpenClaw is the case here, but the pressure pattern travels easily.

Teams love to call QR flows, invite links, and bootstrap codes “onboarding” because the word sounds lightweight. It implies the hard security work begins later, after the friendly first-run screen is gone. Sometimes that is true. Sometimes the first-run screen is already carrying the full authority handoff and nobody wants to narrate it that way because convenience is part of the product promise.

March 2026 is a useful counterexample. The OpenClaw pairing surface was doing several jobs at once: moving sensitive auth material, determining whether pending pairing state was truly one-time, and constraining how much authority a newly connected client could claim. The fixes therefore had to do more than seal one leak. They had to sort those jobs into a safer order.

A QR square left open on a laptop, a setup code pasted into chat, a gateway restarted midway through approval: after this cluster, those scenes do not read like setup trivia anymore. They read like trust-boundary moments.

The screenshot is not harmless anymore. It is part of the trust boundary.

Sources

Sources & public record

CoClaw keeps story pages grounded in public reporting, primary posts, issue threads, and project materials readers can inspect themselves.

  1. Source 01

    GitHub Advisory Database - GHSA-7h7g-x2px-94hj

  2. Source 02

    GitHub Advisory Database - GHSA-63f5-hhc7-cx6p

  3. Source 03

    GitHub Advisory Database - GHSA-rqpp-rjj8-7wv8

  4. Source 04

    OpenClaw Docs - openclaw qr

  5. Source 05

    OpenClaw Docs - Gateway protocol

Related Stories

The bounty ended. The queue was the story.
Incident report
curl's bug bounty had been running since 2019 and had already surfaced dozens of real vulnerabilities. Then AI-generated reports changed the cost structure of submission. Daniel Stenberg ended the rewards in January 2026, kept security intake alive, and then had to redesign that intake again a month later.
When Fake OpenClaw Installers Turned Discovery Into the Real Attack Surface
Incident report
A source-backed reconstruction of the fake OpenClaw installer wave: cloned GitHub repos, Bing AI answers, GhostSocks and infostealers, and the trust failure that happened before many users ever reached the official product.
Peter Steinberger and the Rebrand That Turned Into a Trust Test
Person story
A source-backed feature on Peter Steinberger, OpenClaw’s rapid renames, and how a branding problem quickly became a distribution, scam, and installer-trust problem.

Related Guides

OpenClaw Pairing Explained: The Trust Model Behind Control UI
Guide
Understand what Control UI pairing actually proves, why local and remote access behave differently, where users confuse pairing with auth, and how to troubleshoot trust failures without guessing.
OpenClaw Control UI Auth & Pairing: Fix 'unauthorized', 1008, and Remote Dashboard Access
Guide
Restore stable Control UI access by separating gateway auth from device pairing, fixing unauthorized and 1008 loops, and verifying that your remote path stays stable.