Why do I get scope upgrade pending approval after upgrading?

v2026.4.21 resets device scopes in paired.json to operator.read only, but requires more scopes for subagent and approvals.

How to fix scope upgrade pending approval?

Edit ~/.openclaw/devices/paired.json to add required scopes, chmod 444 to prevent Gateway overwrite. TUI works as workaround.

Does scope upgrade bug affect all users?

Affects all new users on fresh install of v2026.4.21+ and users upgrading from v2026.4.15.

Is there an official fix?

Fix was pending at time of reporting. Device scopes should persist across upgrades.

What versions are affected?

v2026.4.21 primarily, with related scope deadlock bugs in v2026.4.15-4.24 range.

← Back to dashboard

clawsmith.com/signal/openclaw-scope-upgrade-pending-approval-v2026-4-21

⚠ IssueUnknownCoreLive

OpenClaw v2026.4.21 Scope Upgrade Pending Approval Bug Blocks Core Workflow for All New Users

After upgrading to v2026.4.21, device scopes in paired.json reset to operator.read only. Spawn subagent, native approvals, and Web UI chat all fail with scope upgrade pending approval. Affects all new users on fresh install.

Product Idea from this Signal

A CLI tool that runs pre-flight compatibility checks before OpenClaw upgrades and auto-rolls back when the gateway fails to start

405 ▲

OpenClaw ships 13+ releases per month and each one risks breaking gateway startup, scope pairing, channel connections, or plugin loading. Users upgrading from v2026.4.15 to v2026.4.21 hit a scope upgrade pending approval bug that locked them out of the primary interface entirely. Others saw 13-minute silent hangs on first boot, high CPU from RPC latency spikes, and external plugins silently dropped. This tool snapshots the current working state before upgrade, runs compatibility checks against the target version's known issues, and auto-reverts if the gateway fails health checks after upgrade.

CLIOPEN-SOURCEDEVTOOLRELIABILITY

UnderservedView Opportunity →