GHSA-83f3-hh45-vfw9: OpenClaw: cleartext WebSocket exposes gateway credentials

GHSA-83f3-hh45-vfw9 MEDIUM
Published April 7, 2026
CISO Take

OpenClaw's Android client (≤2026.4.1) failed to enforce TLS on remote gateway connections, transmitting stored credentials in plaintext over ws:// whenever a forged discovery beacon or crafted QR setup code redirected the client to an attacker-controlled endpoint. There is no CVSS score, EPSS data, or CISA KEV entry, and no public exploit is known — however, the 37 existing CVEs in this package signal sustained security debt, and the attack requires only network adjacency plus a spoofed beacon, a low bar in shared WiFi, hospitality, or corporate environments. AI teams running OpenClaw as a gateway client on Android should upgrade to 2026.4.2 immediately; organizations unable to patch right away should enforce network-level controls blocking cleartext ws:// and restrict gateway endpoint provisioning to trusted, authenticated sources.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium risk overall, elevated for AI agent deployments dependent on gateway authentication. Exploitation requires network positioning or the ability to deliver a forged discovery signal or QR code — feasible in shared network environments or via phishing. No active exploitation evidence and no public exploit reduce urgency, but stolen gateway credentials grant persistent access to AI agent sessions, enabling follow-on context manipulation or data exfiltration. The 37-CVE history of the openclaw package warrants heightened scrutiny.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm <= 2026.4.1 2026.4.2
4 dependents 41% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

6 steps
  1. Upgrade openclaw to ≥2026.4.2 on all Android deployments — the fix enforces TLS for remote gateway endpoints.

  2. Rotate gateway credentials for any instance that may have connected over cleartext ws:// on an untrusted network.

  3. Audit network traffic logs for anomalous ws:// connections to non-loopback addresses from mobile OpenClaw clients.

  4. Enforce enterprise network policies (MDM/NAC) that block cleartext WebSocket traffic on corporate devices.

  5. Validate that gateway endpoint provisioning flows (discovery beacons, QR setup codes) originate from authenticated, trusted infrastructure.

  6. Given the 37-CVE package history, schedule a broader security review of OpenClaw's use in your AI agent stack.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15(5) - Cybersecurity of High-Risk AI Systems
ISO 42001
A.8.2 - Information security in AI systems
NIST AI RMF
MANAGE-2.4 - AI Risk Response Mechanisms
OWASP LLM Top 10
LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is GHSA-83f3-hh45-vfw9?

OpenClaw's Android client (≤2026.4.1) failed to enforce TLS on remote gateway connections, transmitting stored credentials in plaintext over ws:// whenever a forged discovery beacon or crafted QR setup code redirected the client to an attacker-controlled endpoint. There is no CVSS score, EPSS data, or CISA KEV entry, and no public exploit is known — however, the 37 existing CVEs in this package signal sustained security debt, and the attack requires only network adjacency plus a spoofed beacon, a low bar in shared WiFi, hospitality, or corporate environments. AI teams running OpenClaw as a gateway client on Android should upgrade to 2026.4.2 immediately; organizations unable to patch right away should enforce network-level controls blocking cleartext ws:// and restrict gateway endpoint provisioning to trusted, authenticated sources.

Is GHSA-83f3-hh45-vfw9 actively exploited?

No confirmed active exploitation of GHSA-83f3-hh45-vfw9 has been reported, but organizations should still patch proactively.

How to fix GHSA-83f3-hh45-vfw9?

1. Upgrade openclaw to ≥2026.4.2 on all Android deployments — the fix enforces TLS for remote gateway endpoints. 2. Rotate gateway credentials for any instance that may have connected over cleartext ws:// on an untrusted network. 3. Audit network traffic logs for anomalous ws:// connections to non-loopback addresses from mobile OpenClaw clients. 4. Enforce enterprise network policies (MDM/NAC) that block cleartext WebSocket traffic on corporate devices. 5. Validate that gateway endpoint provisioning flows (discovery beacons, QR setup codes) originate from authenticated, trusted infrastructure. 6. Given the 37-CVE package history, schedule a broader security review of OpenClaw's use in your AI agent stack.

What systems are affected by GHSA-83f3-hh45-vfw9?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI gateway clients, mobile AI agent deployments.

What is the CVSS score for GHSA-83f3-hh45-vfw9?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI gateway clientsmobile AI agent deployments

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0055 Unsecured Credentials
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15(5)
ISO 42001: A.8.2
NIST AI RMF: MANAGE-2.4
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

## Summary Before OpenClaw 2026.4.2, Android accepted non-loopback cleartext `ws://` gateway endpoints and would send stored gateway credentials over that connection. Discovery beacons or setup codes could therefore steer the client onto a cleartext remote endpoint. ## Impact A user who followed a forged discovery result or scanned a crafted setup code could disclose stored gateway credentials to an attacker-controlled endpoint in plaintext. This was a transport-security bug in the Android gateway client. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `a941a4fef9bc43b2973c92d0dcff5b8a426210c5` — require TLS for remote Android gateway endpoints ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @zsxsoft for reporting.

Exploitation Scenario

An attacker on the same network segment as a target running unpatched OpenClaw Android broadcasts a forged mDNS/discovery beacon advertising a malicious cleartext ws:// gateway endpoint, or delivers a crafted QR setup code via phishing or physical social engineering. The victim's OpenClaw client, lacking TLS enforcement, connects to the attacker's endpoint and transmits stored gateway credentials in plaintext. The attacker captures these credentials and uses them to authenticate to the legitimate gateway, gaining persistent access to the victim's AI agent sessions — enabling them to inject malicious instructions into agent context, intercept sensitive data processed by the agent, or use the gateway as a pivot point into downstream AI infrastructure.

Weaknesses (CWE)

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

Timeline

Published
April 7, 2026
Last Modified
April 7, 2026
First Seen
April 7, 2026

Related Vulnerabilities