Vasco

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.21 **Description** OpenClaw versions before 2026.2.21 have an authentication bypass issue in the Control UI. This occurs when `allowInsecureAuth` is enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker with compromised credentials can gain high-privilege access to the Control UI by exploiting the lack of secure authentication enforcement over unencrypted HTTP connections. The issue requires an insecure deployment choice and credential exposure. The fix was implemented in commit `40a292619e1f2be3a3b1db663d7494c9c2dc0abf`. The vulnerable configuration parameter is `gateway.controlUi.allowInsecureAuth`. **Recommendations** Update to version 2026.2.21 or later.