GHSA-83f3-hh45-vfw9: OpenClaw: cleartext WebSocket exposes gateway credentials
GHSA-83f3-hh45-vfw9 MEDIUMOpenClaw's Android client (≤2026.4.1) failed to enforce TLS on remote gateway connections, transmitting stored credentials in plaintext over ws:// whenever a forged discovery beacon or crafted QR setup code redirected the client to an attacker-controlled endpoint. There is no CVSS score, EPSS data, or CISA KEV entry, and no public exploit is known — however, the 37 existing CVEs in this package signal sustained security debt, and the attack requires only network adjacency plus a spoofed beacon, a low bar in shared WiFi, hospitality, or corporate environments. AI teams running OpenClaw as a gateway client on Android should upgrade to 2026.4.2 immediately; organizations unable to patch right away should enforce network-level controls blocking cleartext ws:// and restrict gateway endpoint provisioning to trusted, authenticated sources.
What is the risk?
Medium risk overall, elevated for AI agent deployments dependent on gateway authentication. Exploitation requires network positioning or the ability to deliver a forged discovery signal or QR code — feasible in shared network environments or via phishing. No active exploitation evidence and no public exploit reduce urgency, but stolen gateway credentials grant persistent access to AI agent sessions, enabling follow-on context manipulation or data exfiltration. The 37-CVE history of the openclaw package warrants heightened scrutiny.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | <= 2026.4.1 | 2026.4.2 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
6 steps-
Upgrade openclaw to ≥2026.4.2 on all Android deployments — the fix enforces TLS for remote gateway endpoints.
-
Rotate gateway credentials for any instance that may have connected over cleartext ws:// on an untrusted network.
-
Audit network traffic logs for anomalous ws:// connections to non-loopback addresses from mobile OpenClaw clients.
-
Enforce enterprise network policies (MDM/NAC) that block cleartext WebSocket traffic on corporate devices.
-
Validate that gateway endpoint provisioning flows (discovery beacons, QR setup codes) originate from authenticated, trusted infrastructure.
-
Given the 37-CVE package history, schedule a broader security review of OpenClaw's use in your AI agent stack.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-83f3-hh45-vfw9?
OpenClaw's Android client (≤2026.4.1) failed to enforce TLS on remote gateway connections, transmitting stored credentials in plaintext over ws:// whenever a forged discovery beacon or crafted QR setup code redirected the client to an attacker-controlled endpoint. There is no CVSS score, EPSS data, or CISA KEV entry, and no public exploit is known — however, the 37 existing CVEs in this package signal sustained security debt, and the attack requires only network adjacency plus a spoofed beacon, a low bar in shared WiFi, hospitality, or corporate environments. AI teams running OpenClaw as a gateway client on Android should upgrade to 2026.4.2 immediately; organizations unable to patch right away should enforce network-level controls blocking cleartext ws:// and restrict gateway endpoint provisioning to trusted, authenticated sources.
Is GHSA-83f3-hh45-vfw9 actively exploited?
No confirmed active exploitation of GHSA-83f3-hh45-vfw9 has been reported, but organizations should still patch proactively.
How to fix GHSA-83f3-hh45-vfw9?
1. Upgrade openclaw to ≥2026.4.2 on all Android deployments — the fix enforces TLS for remote gateway endpoints. 2. Rotate gateway credentials for any instance that may have connected over cleartext ws:// on an untrusted network. 3. Audit network traffic logs for anomalous ws:// connections to non-loopback addresses from mobile OpenClaw clients. 4. Enforce enterprise network policies (MDM/NAC) that block cleartext WebSocket traffic on corporate devices. 5. Validate that gateway endpoint provisioning flows (discovery beacons, QR setup codes) originate from authenticated, trusted infrastructure. 6. Given the 37-CVE package history, schedule a broader security review of OpenClaw's use in your AI agent stack.
What systems are affected by GHSA-83f3-hh45-vfw9?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI gateway clients, mobile AI agent deployments.
What is the CVSS score for GHSA-83f3-hh45-vfw9?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0055 Unsecured Credentials AML.T0083 Credentials from AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary Before OpenClaw 2026.4.2, Android accepted non-loopback cleartext `ws://` gateway endpoints and would send stored gateway credentials over that connection. Discovery beacons or setup codes could therefore steer the client onto a cleartext remote endpoint. ## Impact A user who followed a forged discovery result or scanned a crafted setup code could disclose stored gateway credentials to an attacker-controlled endpoint in plaintext. This was a transport-security bug in the Android gateway client. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `a941a4fef9bc43b2973c92d0dcff5b8a426210c5` — require TLS for remote Android gateway endpoints ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @zsxsoft for reporting.
Exploitation Scenario
An attacker on the same network segment as a target running unpatched OpenClaw Android broadcasts a forged mDNS/discovery beacon advertising a malicious cleartext ws:// gateway endpoint, or delivers a crafted QR setup code via phishing or physical social engineering. The victim's OpenClaw client, lacking TLS enforcement, connects to the attacker's endpoint and transmits stored gateway credentials in plaintext. The attacker captures these credentials and uses them to authenticate to the legitimate gateway, gaining persistent access to the victim's AI agent sessions — enabling them to inject malicious instructions into agent context, intercept sensitive data processed by the agent, or use the gateway as a pivot point into downstream AI infrastructure.
Weaknesses (CWE)
CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw