Main Vulnerability Database Vulnerabilities #VU125221

Insufficient verification of data authenticity in OpenClaw - #VU125221

Published: April 8, 2026

Vulnerability identifier: #VU125221

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-345

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information and modify configuration data.

The vulnerability exists due to improper trust management in src/commands/onboard-remote.ts when accepting discovered gateway endpoints during remote onboarding. A remote attacker can provide a malicious or spoofed discovery endpoint to disclose sensitive information and modify configuration data.

User interaction is required during the onboarding process, and exploitation depends on discovery on the local network.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-3cw3-5vxw-g2h3

Insufficient verification of data authenticity in OpenClaw - #VU125221

Detailed vulnerability description

Remediation

Sources

Please verify you're human