CVE-2026-32034: OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access

March 3, 2026 (updated March 19, 2026)

In affected releases, when an operator explicitly enabled gateway.controlUi.allowInsecureAuth: true and exposed the gateway over plaintext HTTP, Control UI authentication could permit privileged operator access without the intended device identity + pairing guarantees.

This required an insecure deployment choice and credential exposure risk (for example, plaintext transit or prior token leak). It was fixed on main in commit 40a292619e1f2be3a3b1db663d7494c9c2dc0abf (PR #20684).

References

github.com/advisories/GHSA-3cvx-236h-m9fj
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/40a292619e1f2be3a3b1db663d7494c9c2dc0abf
github.com/openclaw/openclaw/pull/20684
github.com/openclaw/openclaw/security/advisories/GHSA-3cvx-236h-m9fj
nvd.nist.gov/vuln/detail/CVE-2026-32034

Code Behaviors & Features

Detect and mitigate CVE-2026-32034 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →