GHSA-3cvx-236h-m9fj: OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access

March 3, 2026

In affected releases, when an operator explicitly enabled gateway.controlUi.allowInsecureAuth: true and exposed the gateway over plaintext HTTP, Control UI authentication could permit privileged operator access without the intended device identity + pairing guarantees.

This required an insecure deployment choice and credential exposure risk (for example, plaintext transit or prior token leak). It was fixed on main in commit 40a292619e1f2be3a3b1db663d7494c9c2dc0abf (PR #20684).

References

github.com/advisories/GHSA-3cvx-236h-m9fj
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/40a292619e1f2be3a3b1db663d7494c9c2dc0abf
github.com/openclaw/openclaw/pull/20684
github.com/openclaw/openclaw/security/advisories/GHSA-3cvx-236h-m9fj

Code Behaviors & Features

Detect and mitigate GHSA-3cvx-236h-m9fj with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →