‘The /pair approve command doesn't check who is approving. So someone with basic pairing access (the lowest permission tier) can approve themselves for admin. That's it. Full instance takeover’
https://old.reddit.com/r/sysadmin/comments/1sbdw29/if_youre_running_openclaw_you_probably_got_hacked/
John Spurlock
npub1g2…pachf
2026-04-03 19:35:44 UTC
Author Public Key
npub1g2v6lmze8knq2w3p2smx8rdzcpluqg5mawgfp8f3fhhung6v97tsypachfSeen on
wss://relay.momostr.pinkPublished at
2026-04-03 19:35:44 UTCEvent JSON
{
"id": "7cea1707c1ff6450d5042ab7edda213b4763e10f696cccd2db0b04db89231d80",
"pubkey": "4299afec593da6053a215436638da2c07fc0229beb90909d314defc9a34c2f97",
"created_at": 1775244944,
"kind": 1,
"tags": [
[
"proxy",
"https://podcastindex.social/@js/116342452651731220",
"web"
],
[
"proxy",
"https://podcastindex.social/users/js/statuses/116342452651731220",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://podcastindex.social/users/js/statuses/116342452651731220",
"pink.momostr"
],
[
"-"
]
],
"content": "‘The /pair approve command doesn't check who is approving. So someone with basic pairing access (the lowest permission tier) can approve themselves for admin. That's it. Full instance takeover’\n\nhttps://old.reddit.com/r/sysadmin/comments/1sbdw29/if_youre_running_openclaw_you_probably_got_hacked/",
"sig": "a9faa507ce369f4768637c2ef8f029abdb76b52b8fe125108caaf930aea3ac631a993cf5e05976265b977ee3d837a3b801c549c506d9c13b2ac6e5775fa54521"
}