PT-2026-39683 · Openclaw · Openclaw
Keensecuritylab
·
Published
2026-05-04
·
Updated
2026-05-11
·
CVE-2026-44994
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.4.22
Description
An authentication bypass exists in the Control UI bootstrap config endpoint, allowing unauthenticated attackers to read sensitive configuration fields. Attackers can access the bootstrap config route without a valid Gateway token to expose sensitive bootstrap and config information intended only for authenticated Control UI sessions.
Recommendations
Update to version 2026.4.22.
Exploit
Fix
Missing Authorization
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw