GHSA-qvr7-g57c-mrc7: OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode

March 13, 2026

In affected versions of openclaw, local gateway helper credential resolution treated configured but unavailable gateway.auth.token and gateway.auth.password SecretRefs as if they were unset and could fall back to gateway.remote.* credentials in local mode.

References

github.com/advisories/GHSA-qvr7-g57c-mrc7
github.com/openclaw/openclaw
github.com/openclaw/openclaw/releases/tag/v2026.3.11
github.com/openclaw/openclaw/security/advisories/GHSA-qvr7-g57c-mrc7

Code Behaviors & Features

Detect and mitigate GHSA-qvr7-g57c-mrc7 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →