GHSA-3cw3-5vxw-g2h3: OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials

March 31, 2026

Remote onboarding accepted discovered gateway endpoints without an explicit trust confirmation before persisting the remote URL and connection details.

References

github.com/advisories/GHSA-3cw3-5vxw-g2h3
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/d6affb17d85f5f5ab08ef9f2b994b257af12e75a
github.com/openclaw/openclaw/security/advisories/GHSA-3cw3-5vxw-g2h3

Code Behaviors & Features

Detect and mitigate GHSA-3cw3-5vxw-g2h3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →