GHSA-rchv-x836-w7xp: OpenClaw's dashboard leaked gateway auth material via browser URL/query and localStorage

March 9, 2026

OpenClaw’s macOS Dashboard flow exposed Gateway authentication material to browser-controlled surfaces.

Before the fix, the macOS app appended the shared Gateway token and password to the Dashboard URL query string when opening the Control UI in the browser. The Control UI then imported the token and persisted it into browser localStorage under openclaw.control.settings.v1.

This expanded exposure of reusable Gateway admin credentials into browser address-bar/query surfaces and persistent script-readable storage.

References

github.com/advisories/GHSA-rchv-x836-w7xp
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/10d0e3f3ca92326df0ca071fabffe463742f263c
github.com/openclaw/openclaw/releases/tag/v2026.3.7
github.com/openclaw/openclaw/security/advisories/GHSA-rchv-x836-w7xp

Code Behaviors & Features

Detect and mitigate GHSA-rchv-x836-w7xp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →