CVE-2026-32034: OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access
(updated )
In affected releases, when an operator explicitly enabled gateway.controlUi.allowInsecureAuth: true and exposed the gateway over plaintext HTTP, Control UI authentication could permit privileged operator access without the intended device identity + pairing guarantees.
This required an insecure deployment choice and credential exposure risk (for example, plaintext transit or prior token leak). It was fixed on main in commit 40a292619e1f2be3a3b1db663d7494c9c2dc0abf (PR #20684).
References
- github.com/advisories/GHSA-3cvx-236h-m9fj
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/40a292619e1f2be3a3b1db663d7494c9c2dc0abf
- github.com/openclaw/openclaw/pull/20684
- github.com/openclaw/openclaw/security/advisories/GHSA-3cvx-236h-m9fj
- nvd.nist.gov/vuln/detail/CVE-2026-32034
- www.vulncheck.com/advisories/openclaw-insecure-control-ui-authentication-over-plaintext-http
Code Behaviors & Features
Detect and mitigate CVE-2026-32034 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →