Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
OpenClaw: Bypassing Gateway Authentication for Plugin Channels
GHSA-8j2w-6fmm-m587
Summary
If not handled correctly, OpenClaw's plugin channels can be accessed without proper authentication, allowing unauthorized users to access sensitive APIs. This is because OpenClaw's gateway authentication system relies on exact path matching, and some plugin handlers may interpret URLs differently. To fix this, ensure that plugin handlers follow the same path handling as the gateway authentication system.
What to do
- Update openclaw to version 2026.2.26.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.25 | 2026.2.26 |
Original title
OpenClaw: /api/channels gateway-auth boundary bypass via path canonicalization mismatch
Original description
### Summary
Gateway auth for plugin channel endpoints can be bypassed when path canonicalization differs between the gateway guard and plugin handler routing.
### Details
On affected versions, `server-http` only applies gateway auth when raw `requestPath` matches exactly:
- `/api/channels`
- `/api/channels/*`
If a plugin handler canonicalizes path input (for example `decodeURIComponent(pathname).toLowerCase()`), requests like:
- `/API/channels/nostr/default/profile`
- `/api/channels%2Fnostr%2Fdefault%2Fprofile`
can be interpreted as `/api/channels/*` by the plugin, while the gateway auth guard is skipped.
### Impact
Authentication boundary bypass for plugin channel HTTP routes under canonicalization mismatch conditions. Unauthorized callers may access plugin channel APIs that are expected to require gateway auth.
CWE: CWE-288 (Authentication Bypass Using an Alternate Path or Channel)
CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N` (Base 5.3, Moderate)
Gateway auth for plugin channel endpoints can be bypassed when path canonicalization differs between the gateway guard and plugin handler routing.
### Details
On affected versions, `server-http` only applies gateway auth when raw `requestPath` matches exactly:
- `/api/channels`
- `/api/channels/*`
If a plugin handler canonicalizes path input (for example `decodeURIComponent(pathname).toLowerCase()`), requests like:
- `/API/channels/nostr/default/profile`
- `/api/channels%2Fnostr%2Fdefault%2Fprofile`
can be interpreted as `/api/channels/*` by the plugin, while the gateway auth guard is skipped.
### Impact
Authentication boundary bypass for plugin channel HTTP routes under canonicalization mismatch conditions. Unauthorized callers may access plugin channel APIs that are expected to require gateway auth.
CWE: CWE-288 (Authentication Bypass Using an Alternate Path or Channel)
CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N` (Base 5.3, Moderate)
ghsa CVSS3.1
4.8
Vulnerability type
CWE-288
Authentication Bypass Using Alternate Path
Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026