OpenClaw Authentication State Management Vulnerability Allowing Bypass of Authentication Controls
Vulnerability
An authentication state management vulnerability has been identified in OpenClaw versions prior to 2026.4.8. The issue arises because the resolvedAuth closure becomes stale after a configuration reload. As a result, newly accepted gateway connections may continue to use outdated authentication states, allowing attackers to bypass authentication controls by exploiting the timing of configuration reloads.
Impact
Exploitation of this vulnerability allows for bypassing authentication controls, potentially leading to unauthorized access or actions within the application.
Reproduction
The vulnerability can be reproduced by establishing a gateway connection that relies on the authentication state. After the connection is established, perform a configuration reload. Once the reload is complete, the connection will still use the outdated authentication state, effectively bypassing the authentication controls.
Remediation
Users can update to OpenClaw version 2026.4.8 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.