GHSA-3cvx-236h-m9fj
OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access
Details
## Description
In affected releases, when an operator explicitly enabled `gateway.controlUi.allowInsecureAuth: true` and exposed the gateway over plaintext HTTP, Control UI authentication could permit privileged operator access without the intended device identity + pairing guarantees.
This required an insecure deployment choice and credential exposure risk (for example, plaintext transit or prior token leak). It was fixed on `main` in commit `40a292619e1f2be3a3b1db663d7494c9c2dc0abf` ([PR #20684](https://github.com/openclaw/openclaw/pull/20684)).
## Affected Packages / Versions
- Package: `openclaw` (npm) - Affected published versions: `<= 2026.2.19-2` - Planned patched version: `2026.2.21`
## Impact
In these explicitly insecure deployments, an attacker with leaked/intercepted credentials could obtain high-privilege Control UI access.
## Fix Commit(s)
- `40a292619e1f2be3a3b1db663d7494c9c2dc0abf` (merged 2026-02-20)
OpenClaw thanks @Vasco0x4 for reporting.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3cvx-236h-m9fj [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-32034 [ADVISORY]
- https://github.com/openclaw/openclaw/pull/20684 [WEB]
- https://github.com/openclaw/openclaw/commit/40a292619e1f2be3a3b1db663d7494c9c2dc0abf [WEB]
- https://github.com/openclaw/openclaw [PACKAGE]
- https://www.vulncheck.com/advisories/openclaw-insecure-control-ui-authentication-over-plaintext-http [WEB]