Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-32034

OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access
Back to all
CVE

CVE-2026-32034

OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access

Description

In affected releases, when an operator explicitly enabled gateway.controlUi.allowInsecureAuth: true and exposed the gateway over plaintext HTTP, Control UI authentication could permit privileged operator access without the intended device identity + pairing guarantees.

This required an insecure deployment choice and credential exposure risk (for example, plaintext transit or prior token leak). It was fixed on main in commit 40a292619e1f2be3a3b1db663d7494c9c2dc0abf (PR #20684).

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected published versions: <= 2026.2.19-2
  • Planned patched version: 2026.2.21

Impact

In these explicitly insecure deployments, an attacker with leaked/intercepted credentials could obtain high-privilege Control UI access.

Fix Commit(s)

  • 40a292619e1f2be3a3b1db663d7494c9c2dc0abf (merged 2026-02-20)

OpenClaw thanks @Vasco0x4 for reporting.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
6.1
-
4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
C
H
U
-

Related Resources

No items found.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-3cvx-236h-m9fj, https://nvd.nist.gov/vuln/detail/CVE-2026-32034, https://github.com/openclaw/openclaw/pull/20684, https://github.com/openclaw/openclaw/commit/40a292619e1f2be3a3b1db663d7494c9c2dc0abf, https://github.com/openclaw/openclaw, https://www.vulncheck.com/advisories/openclaw-insecure-control-ui-authentication-over-plaintext-http

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.00097%
EPSS Percentile
0.26485%
Introduced Version
0
Fix Available
2026.2.21

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading