OpenClaw Authentication Bypass Vulnerability in Control UI Over Plaintext HTTP

An authentication bypass vulnerability has been identified in OpenClaw versions prior to 2026.2.21. This vulnerability exists in the Control UI when the 'allowInsecureAuth' option is enabled and the gateway is exposed over unencrypted HTTP. Under these conditions, attackers can bypass device identity and pairing verification. An attacker with intercepted or leaked credentials could gain high-privilege access to the Control UI by taking advantage of the lack of secure authentication over unencrypted connections.

Impact

Exploitation of this vulnerability allows high-privilege access to the Control UI, bypassing necessary device identity and pairing verification.

Reproduction

To reproduce this vulnerability, enable 'gateway.controlUi.allowInsecureAuth' and expose the gateway over plaintext HTTP. An attacker can then use intercepted or leaked credentials to access the Control UI without the required device identity or pairing, taking advantage of the authentication bypass.

Remediation

Users can update to OpenClaw version 2026.2.21 or later, and avoid exposing the gateway over unencrypted HTTP.