GHSA-83f3-hh45-vfw9: OpenClaw: cleartext WebSocket exposes gateway credentials

Published April 7, 2026

CISO Take

OpenClaw's Android client (≤2026.4.1) failed to enforce TLS on remote gateway connections, transmitting stored credentials in plaintext over ws:// whenever a forged discovery beacon or crafted QR setup code redirected the client to an attacker-controlled endpoint. There is no CVSS score, EPSS data, or CISA KEV entry, and no public exploit is known — however, the 37 existing CVEs in this package signal sustained security debt, and the attack requires only network adjacency plus a spoofed beacon, a low bar in shared WiFi, hospitality, or corporate environments. AI teams running OpenClaw as a gateway client on Android should upgrade to 2026.4.2 immediately; organizations unable to patch right away should enforce network-level controls blocking cleartext ws:// and restrict gateway endpoint provisioning to trusted, authenticated sources.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium risk overall, elevated for AI agent deployments dependent on gateway authentication. Exploitation requires network positioning or the ability to deliver a forged discovery signal or QR code — feasible in shared network environments or via phishing. No active exploitation evidence and no public exploit reduce urgency, but stolen gateway credentials grant persistent access to AI agent sessions, enabling follow-on context manipulation or data exfiltration. The 37-CVE history of the openclaw package warrants heightened scrutiny.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	<= 2026.4.1	`2026.4.2`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Upgrade openclaw to ≥2026.4.2 on all Android deployments — the fix enforces TLS for remote gateway endpoints.
Rotate gateway credentials for any instance that may have connected over cleartext ws:// on an untrusted network.
Audit network traffic logs for anomalous ws:// connections to non-loopback addresses from mobile OpenClaw clients.
Enforce enterprise network policies (MDM/NAC) that block cleartext WebSocket traffic on corporate devices.
Validate that gateway endpoint provisioning flows (discovery beacons, QR setup codes) originate from authenticated, trusted infrastructure.
Given the 37-CVE package history, schedule a broader security review of OpenClaw's use in your AI agent stack.

Classification

Data Leakage Auth Bypass Agent AML.T0012 - Valid Accounts AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15(5) - Cybersecurity of High-Risk AI Systems

ISO 42001

A.8.2 - Information security in AI systems

NIST AI RMF

MANAGE-2.4 - AI Risk Response Mechanisms

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents credential exfiltration via OpenClaw's third-party skills ecosystem (AMOS stealer via ClawHub). This CVE exposes a transport-layer credential theft vector in the same OpenClaw platform, representing the same failure class — inadequate protection of credentials in the OpenClaw agent ecosystem — and could serve as a prerequisite or complement to the skills-based exfiltration attack chain described in the incident.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

## Summary Before OpenClaw 2026.4.2, Android accepted non-loopback cleartext `ws://` gateway endpoints and would send stored gateway credentials over that connection. Discovery beacons or setup codes could therefore steer the client onto a cleartext remote endpoint. ## Impact A user who followed a forged discovery result or scanned a crafted setup code could disclose stored gateway credentials to an attacker-controlled endpoint in plaintext. This was a transport-security bug in the Android gateway client. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `a941a4fef9bc43b2973c92d0dcff5b8a426210c5` — require TLS for remote Android gateway endpoints ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @zsxsoft for reporting.

Exploitation Scenario

An attacker on the same network segment as a target running unpatched OpenClaw Android broadcasts a forged mDNS/discovery beacon advertising a malicious cleartext ws:// gateway endpoint, or delivers a crafted QR setup code via phishing or physical social engineering. The victim's OpenClaw client, lacking TLS enforcement, connects to the attacker's endpoint and transmits stored gateway credentials in plaintext. The attacker captures these credentials and uses them to authenticate to the legitimate gateway, gaining persistent access to the victim's AI agent sessions — enabling them to inject malicious instructions into agent context, intercept sensitive data processed by the agent, or use the gateway as a pivot point into downstream AI infrastructure.