CVE-2026-32034

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.21

Description OpenClaw versions before 2026.2.21 have an authentication bypass issue in the Control UI. This occurs when allowInsecureAuth is enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker with compromised credentials can gain high-privilege access to the Control UI by exploiting the lack of secure authentication enforcement over unencrypted HTTP connections. The issue requires an insecure deployment choice and credential exposure. The fix was implemented in commit 40a292619e1f2be3a3b1db663d7494c9c2dc0abf. The vulnerable configuration parameter is gateway.controlUi.allowInsecureAuth.

Recommendations Update to version 2026.2.21 or later.