Description
OpenClaw before 2026.4.2 accepts non-loopback cleartext ws:// gateway endpoints and transmits stored gateway credentials over unencrypted connections. Attackers can forge discovery results or craft setup codes to redirect clients to malicious endpoints, disclosing plaintext gateway credentials.
Published: 2026-04-20
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credentials Exposure
Action: Immediate Upgrade
AI Analysis

Impact

OpenClaw releases prior to 2026.4.2 allow the configuration of non-loopback WebSocket gateway endpoints that accept plain text ws:// connections. When a client connects, the system automatically transmits stored gateway credentials over these unencrypted links. The vulnerability can be exploited by forging discovery responses or manipulating setup codes, causing legitimate clients to be redirected to malicious endpoints. The result is the disclosure of plaintext gateway credentials, which could be used for unauthorized control of the gateway or to pivot to other systems on the network.

Affected Systems

All OpenClaw installations running versions older than 2026.4.2 are affected. The vulnerability is present in the Node.js implementation of the OpenClaw platform, exposing non-loopback ws:// WebSocket endpoints to external traffic.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. The EPSS score of < 1% suggests a very low but non-zero probability of exploitation. The vulnerability is not listed in CISA KEV. Attackers can remotely exploit the flaw by interacting with the vulnerable WebSocket gateway, but the attack requires that the endpoint be reachable and that the client follows redirected discovery steps; these preconditions are inferred from the description. Because the security flaw leads solely to credential disclosure, it does not directly grant remote code execution, yet the leaked credentials could allow an attacker to take over or compromise the gateway and potentially access other network assets.

Generated by OpenCVE AI on April 21, 2026 at 23:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor's patch for 2026.4.2 or later to eliminate the unencrypted WebSocket exposure
  • Reconfigure the OpenClaw deployment to accept only loopback or encrypted WSS connections for gateway endpoints
  • Restrict external access to the WebSocket gateway with firewall rules, ensuring that only trusted networks can reach the endpoint

Generated by OpenCVE AI on April 21, 2026 at 23:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-83f3-hh45-vfw9 OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws://
History

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.2 accepts non-loopback cleartext ws:// gateway endpoints and transmits stored gateway credentials over unencrypted connections. Attackers can forge discovery results or craft setup codes to redirect clients to malicious endpoints, disclosing plaintext gateway credentials.
Title OpenClaw < 2026.4.2 - Cleartext Credential Transmission via Unencrypted WebSocket Gateway Endpoints
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-319
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-21T13:37:43.951Z

Reserved: 2026-04-08T13:39:22.100Z

Link: CVE-2026-40045

cve-icon Vulnrichment

Updated: 2026-04-21T13:37:40.313Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T00:16:29.300

Modified: 2026-04-24T19:03:59.463

Link: CVE-2026-40045

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:30:02Z

Weaknesses