Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.7
OpenClaw Gateway Token Leaked on Shared-User Installs
GHSA-v3j7-34xh-6g3w
Summary
If you have OpenClaw installed on a shared computer where multiple users have local access, an attacker can steal the OpenClaw token and use it to access your Gateway. This only affects installations where multiple users share the same machine or host. To fix, upgrade to version 2026.2.22 or later.
What to do
- Update openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.21-2 | 2026.2.22 |
Original title
OpenClaw Loopback CDP probe can leak Gateway token to local listener
Original description
### Summary
A local process can capture the OpenClaw Gateway auth token from Chrome CDP probe traffic on loopback.
### Details
Affected versions inject `x-openclaw-relay-token` for loopback CDP URLs, and CDP reachability probes send that header to `/json/version`.
If an attacker controls the probed loopback port, they can read that token and reuse it as Gateway bearer auth.
Relevant code paths (pre-fix):
- `src/browser/extension-relay.ts` (`getChromeExtensionRelayAuthHeaders`)
- `src/browser/cdp.helpers.ts` (`getHeadersWithAuth`)
- `src/browser/chrome.ts` (`fetchChromeVersion`)
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published (at triage): `2026.2.21-2`
- Vulnerable: `<= 2026.2.21-2`
- Patched: >= 2026.2.22
### Deployment Model Applicability
This does **not** change OpenClaw’s documented security model for standard single-owner installs (you own the machine/VPS and trust local processes under that OS account boundary).
Risk is for **non-standard shared-user/shared-host installs** where an untrusted local user/process can race/bind the loopback relay port.
### Impact
- Local credential disclosure.
- Follow-on impact depends on local deployment and enabled Gateway capabilities.
### Fix Commit(s)
- `afa22acc4a09fdf32be8a167ae216bee85c30dad`
### Release Process Note
Patched version is set to >= 2026.2.22 for the published release.
OpenClaw thanks @tdjackey for reporting.
A local process can capture the OpenClaw Gateway auth token from Chrome CDP probe traffic on loopback.
### Details
Affected versions inject `x-openclaw-relay-token` for loopback CDP URLs, and CDP reachability probes send that header to `/json/version`.
If an attacker controls the probed loopback port, they can read that token and reuse it as Gateway bearer auth.
Relevant code paths (pre-fix):
- `src/browser/extension-relay.ts` (`getChromeExtensionRelayAuthHeaders`)
- `src/browser/cdp.helpers.ts` (`getHeadersWithAuth`)
- `src/browser/chrome.ts` (`fetchChromeVersion`)
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published (at triage): `2026.2.21-2`
- Vulnerable: `<= 2026.2.21-2`
- Patched: >= 2026.2.22
### Deployment Model Applicability
This does **not** change OpenClaw’s documented security model for standard single-owner installs (you own the machine/VPS and trust local processes under that OS account boundary).
Risk is for **non-standard shared-user/shared-host installs** where an untrusted local user/process can race/bind the loopback relay port.
### Impact
- Local credential disclosure.
- Follow-on impact depends on local deployment and enabled Gateway capabilities.
### Fix Commit(s)
- `afa22acc4a09fdf32be8a167ae216bee85c30dad`
### Release Process Note
Patched version is set to >= 2026.2.22 for the published release.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS3.1
5.7
Vulnerability type
CWE-290
CWE-306
Missing Authentication for Critical Function
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026