OpenClaw versions earlier than 2026.3.11 contain a flaw that treats unavailable local gateway.auth.token and gateway.auth.password references as unset, causing the application to revert to remote credentials even when operating in local mode. This improper authentication enforcement means that the command line interface and auxiliary processes can unintentionally pick a different credential source, allowing an attacker to bypass the intended local authentication boundary. The weakness is classified as CWE‑636, representing a failure to enforce the correct authentication policy.

All deployments of OpenClaw that rely on the local gateway authentication mechanism are potentially affected. Any installation running a release prior to 2026.3.11 and using gateway.auth.token or gateway.auth.password SecretRefs is at risk. The issue is independent of operating system or hosting environment and applies to all standard configurations of the software.

The vulnerability scores low with a CVSS base of 2 and no EPSS data is available, and it is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker needs local system access or the ability to modify the local authentication references to exploit the fallback logic. The exploit does not provide remote code execution but can lead to unauthorized use of credential information and compromise the isolation between local and remote authentication mechanisms. Consequently, the risk is considered low to moderate, with the primary concern being credential misuse rather than system compromise.