OpenClaw WebSocket Gateway Credential Transmission Vulnerability

A vulnerability in OpenClaw versions prior to 2026.4.2 allows for the transmission of stored gateway credentials over unencrypted WebSocket connections. The issue arises because the application accepts non-loopback cleartext 'ws://' gateway endpoints. This flaw can be exploited by forging discovery results or crafting setup codes to redirect clients to malicious endpoints, where plaintext gateway credentials can be intercepted.

Impact

Exploitation of this vulnerability could lead to the unauthorized disclosure of gateway credentials to an attacker-controlled endpoint.

Reproduction

To reproduce this vulnerability, first connect to a non-loopback cleartext 'ws://' gateway endpoint using the OpenClaw application on Android. This can be done by either forging a discovery result or scanning a crafted setup code that directs the application to the malicious endpoint. Once the connection is established, the stored gateway credentials will be transmitted in plaintext over the unencrypted WebSocket connection.

Remediation

Users can update to OpenClaw version 2026.4.2 or later, which addresses this vulnerability by requiring TLS for remote gateway endpoints.