CVE-2026-32045
MEDIUMOpenClaw < 2026.2.21 - Authentication Bypass in HTTP Gateway Routes via Tokenless Tailscale Auth
Title source: cnaDescription
OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password requirements. Attackers on trusted networks can exploit this misconfiguration to access HTTP gateway routes without proper authentication credentials.
References (3)
Core 3
Core References
Third Party Advisory third-party-advisory
GitHub Security Advisory (GHSA-hff7-ccv5-52f8)
https://github.com/openclaw/openclaw/security/advisories/GHSA-hff7-ccv5-52f8
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/356d61aacfa5b0f1d5830716ec59d70682a3e7b8
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.2.21 - Authentication Bypass in HTTP Gateway Routes via Tokenless Tailscale Auth
https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-http-gateway-routes-via-tokenless-tailscale-auth
Scores
CVSS v3
5.9
EPSS
0.0040
EPSS Percentile
31.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-290
Status
published
Products (4)
npm/openclaw
0 - 2026.2.21npm
OpenClaw/OpenClaw
< 2026.2.21
openclaw/openclaw
< 2026.2.21
OpenClaw/OpenClaw
2026.2.21
Published
Mar 21, 2026
Tracked Since
Mar 21, 2026