Improper Authorization in OpenClaw - CVE-2026-32034
Published: May 1, 2026
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to gain privileged operator access.
The vulnerability exists due to improper authorization in the Control UI authentication mechanism when the gateway is exposed over plaintext HTTP with insecure authentication enabled. A remote user can use leaked or intercepted credentials to gain privileged operator access.
Exploitation requires the operator to have explicitly enabled gateway.controlUi.allowInsecureAuth: true and exposed the gateway over plaintext HTTP.