CVE-2026-40045

CVSS v4.0

6.3

Medium

AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Summary

Before OpenClaw 2026.4.2, Android accepted non-loopback cleartext ws:// gateway endpoints and would send stored gateway credentials over that connection. Discovery beacons or setup codes could therefore steer the client onto a cleartext remote endpoint.

Impact

A user who followed a forged discovery result or scanned a crafted setup code could disclose stored gateway credentials to an attacker-controlled endpoint in plaintext. This was a transport-security bug in the Android gateway client.

Affected Packages / Versions

Package: openclaw (npm)
Affected versions: <= 2026.4.1
Patched versions: >= 2026.4.2
Latest published npm version: 2026.4.1

Fix Commit(s)

a941a4fef9bc43b2973c92d0dcff5b8a426210c5 — require TLS for remote Android gateway endpoints

Release Process Note

The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live.

Thanks @zsxsoft for reporting.

Fix

Cleartext Transmission of Sensitive Information

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-319CWE-200

Related Identifiers

CVE-2026-40045

GHSA-83F3-HH45-VFW9

Affected Products

Openclaw

CVE-2026-40045

Summary

Impact

Affected Packages / Versions

Fix Commit(s)

Release Process Note

Weakness Enumeration

Related Identifiers

Affected Products

References · 6