Description
OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Attackers can spoof discovery endpoints to redirect onboarding toward malicious gateways and capture gateway credentials or traffic.
Published: 2026-04-23
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Credential Exfiltration via Unauthenticated Discovery Endpoint
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an authentication bypass located in the remote onboarding component of OpenClaw. Attackers can create spoofed discovery endpoints that redirect the onboarding process toward malicious gateways, allowing the capture of gateway credentials or intercepted traffic. The flaw leads to credential theft and potential unauthorized access to the system, representing a significant breach of confidentiality and integrity. This weakness is classified as CWE-346, indicating broken authentication.

Affected Systems

OpenClaw versions prior to 2026.3.28 are affected. The issue is present in the OpenClaw product built on Node.js; only releases before the 2026.3.28 update are susceptible.

Risk and Exploitability

The CVSS score of 7.4 denotes high severity, while the EPSS score of less than 1% indicates that, at present, exploitation is unlikely but still possible in the wild. The vulnerability is not listed in CISA's KEV catalog. Attackers can exploit the flaw remotely by sending forged discovery requests to the target without needing valid credentials, leveraging the authentication bypass in the onboarding flow to exfiltrate credentials.

Generated by OpenCVE AI on April 28, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw 2026.3.28 or later to apply the fix for authentication bypass in remote onboarding.
  • Disable or restrict the remote onboarding feature if the newer version cannot be immediately deployed, preventing unauthenticated discovery requests.
  • Block or filter outbound discovery endpoint traffic to trusted gateways, ensuring that any spoofed endpoints are rejected.
  • Implement network monitoring to detect unusual discovery requests and review gateway configuration to prevent credential capture.

Generated by OpenCVE AI on April 28, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3cw3-5vxw-g2h3 OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials
History

Thu, 23 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Attackers can spoof discovery endpoints to redirect onboarding toward malicious gateways and capture gateway credentials or traffic.
Title OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-346
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-24T11:01:54.589Z

Reserved: 2026-04-20T14:05:09.183Z

Link: CVE-2026-41342

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:40.640

Modified: 2026-04-29T15:55:12.670

Link: CVE-2026-41342

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:30:06Z

Weaknesses