OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials

GHSA-3cw3-5vxw-g2h3 · CVE-2026-41342

Published Mar 31, 2026 · Modified May 8, 2026

Description

Summary

Remote onboarding accepted discovered gateway endpoints without an explicit trust confirmation before persisting the remote URL and connection details.

Impact

A malicious or spoofed discovery endpoint could steer onboarding toward an attacker-controlled gateway and capture future gateway credentials or traffic.

Affected Component

src/commands/onboard-remote.ts

Fixed Versions

Affected: <= 2026.3.24
Patched: >= 2026.3.28
Latest stable 2026.3.28 contains the fix.

Fix

Fixed by commit d6affb17d8 (CLI: confirm discovered remote gateways before saving config).

References

WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-3cw3-5vxw-g2h3
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-41342
WEB https://github.com/openclaw/openclaw/commit/d6affb17d85f5f5ab08ef9f2b994b257af12e75a
PACKAGE https://github.com/openclaw/openclaw
WEB https://www.vulncheck.com/advisories/openclaw-unauthenticated-discovery-endpoint-credential-exfiltration-via-remote-onboarding

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes