Primary

Context

OpenClaw Credential Fallback Vulnerability Allowing Authentication Bypass

Vulnerability

A credential fallback vulnerability has been identified in OpenClaw versions prior to 2026.3.11. This vulnerability arises because unavailable local authentication SecretRefs for gateway.auth.token and gateway.auth.password are incorrectly treated as unset. As a result, the system can fall back to remote credentials while in local mode. Attackers may exploit this flaw by misconfiguring local authentication references, causing the command-line interface (CLI) and helper paths to choose incorrect credential sources. This could potentially bypass intended local authentication boundaries.

Impact

Exploitation of this vulnerability could lead to a bypass of local authentication boundaries, allowing for unauthorized access or actions within the application.

Remediation

Users are advised to upgrade to OpenClaw version 2026.3.11 or later.

Added: Mar 31, 2026, 12:26 PM

Updated: Mar 31, 2026, 12:26 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

2.9

remediation

0.0

relevance

5.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

2.9

remediation

0.0

relevance

5.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Credential Fallback Vulnerability Allowing Authentication Bypass

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating