PT-2026-33560 · Npm · Openclaw
Publicado
2026-04-07
·
Atualizado
2026-04-07
CVSS v3.1
5.7
Média
| Vetor | AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
Summary
Before OpenClaw 2026.4.2, Android accepted non-loopback cleartext
ws:// gateway endpoints and would send stored gateway credentials over that connection. Discovery beacons or setup codes could therefore steer the client onto a cleartext remote endpoint.Impact
A user who followed a forged discovery result or scanned a crafted setup code could disclose stored gateway credentials to an attacker-controlled endpoint in plaintext. This was a transport-security bug in the Android gateway client.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.4.1 - Patched versions:
>= 2026.4.2 - Latest published npm version:
2026.4.1
Fix Commit(s)
a941a4fef9bc43b2973c92d0dcff5b8a426210c5— require TLS for remote Android gateway endpoints
Release Process Note
The fix is present on
main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live.Thanks @zsxsoft for reporting.
Correção
Information Disclosure
Cleartext Transmission of Sensitive Information
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw