Duplicate Advisory: OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode

GHSA-vm29-7mq3-9jrg

Published Mar 31, 2026 · Modified Apr 7, 2026

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-qvr7-g57c-mrc7. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are treated as unset, allowing fallback to remote credentials in local mode. Attackers can exploit misconfigured local auth references to cause CLI and helper paths to select incorrect credential sources, potentially bypassing intended local authentication boundaries.

References

WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-qvr7-g57c-mrc7
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-32970
WEB https://www.vulncheck.com/advisories/openclaw-credential-fallback-logic-bypass-via-unavailable-local-auth-secretrefs

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes