Description
OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker with leaked or intercepted credentials can obtain high-privilege Control UI access by exploiting the lack of secure authentication enforcement over unencrypted HTTP connections.
Published: 2026-03-19
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch Now
AI Analysis

Impact

The vulnerability in OpenClaw occurs when the configuration option allowInsecureAuth is set to true and the gateway is reachable via unencrypted HTTP. Key detail from the CVE description: an attacker who has or can obtain device credentials can bypass normal authentication checks and gain high‑privilege access to the Control UI. This is a CWE‑78 weakness involving insecure handling of authentication over an insecure channel, which can lead to confidentiality and integrity compromise of the device.

Affected Systems

Affected systems are OpenClaw installations running any version earlier than 2026.2.21 that have allowInsecureAuth enabled and expose the Control UI over plaintext HTTP. Key detail from the vendor list: product – OpenClaw:OpenClaw; affected versions – all releases prior to 2026.2.21. If the gateway is not exposed over HTTP, or the setting is disabled, the vulnerability does not apply.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity (key detail from score data). EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited publicly documented exploitation. Based on the description, the likely attack vector is an attacker able to reach the device’s gateway over HTTP and possessing the credentials, either from interception or a breach. Exploitation then allows full control of the device’s configuration and potentially other network functions.

Generated by OpenCVE AI on March 20, 2026 at 00:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading OpenClaw to version 2026.2.21 or later (official solution).
  • If an upgrade is not immediately possible, disable allowInsecureAuth in the Control UI configuration to enforce secure authentication.

Generated by OpenCVE AI on March 20, 2026 at 00:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3cvx-236h-m9fj OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access
History

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker with leaked or intercepted credentials can obtain high-privilege Control UI access by exploiting the lack of secure authentication enforcement over unencrypted HTTP connections.
Title OpenClaw < 2026.2.21 - Insecure Control UI Authentication over Plaintext HTTP
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-78
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-06T14:39:51.292Z

Reserved: 2026-03-10T19:48:43.187Z

Link: CVE-2026-32034

cve-icon Vulnrichment

Updated: 2026-03-21T03:13:56.450Z

cve-icon NVD

Status : Modified

Published: 2026-03-19T22:16:39.167

Modified: 2026-03-25T15:16:46.700

Link: CVE-2026-32034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T10:44:19Z

Weaknesses