DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-QVR7-G57C-MRC7: GHSA-QVR7-G57C-MRC7: Authentication Fall-Through via Unresolved SecretRef in OpenClaw Gateway

#security #cve #cybersecurity #ghsa

GHSA-QVR7-G57C-MRC7: Authentication Fall-Through via Unresolved SecretRef in OpenClaw Gateway

Vulnerability ID: GHSA-QVR7-G57C-MRC7
CVSS Score: 3.6
Published: 2026-03-13

In OpenClaw versions prior to v2026.3.11, the local gateway helper contains a logic flaw in its credential resolution mechanism. When authentication credentials configured via SecretRef fail to resolve, the system defaults to an unset state rather than failing securely. This allows unintended fall-through to remote or default credentials, potentially bypassing intended local authentication requirements.

TL;DR

OpenClaw < v2026.3.11 fails to properly handle unresolved SecretRef configurations in the gateway module, leading to an authentication fallback vulnerability that bypasses intended local security constraints.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-305, CWE-754
  • Attack Vector: Local
  • CVSS v3.1: 3.6
  • Impact: Authentication Bypass / Configuration Masking
  • Exploit Status: PoC Available
  • Patched Version: v2026.3.11

Affected Systems

  • OpenClaw Local Gateway Helper
  • OpenClaw: < 2026.3.11 (Fixed in: v2026.3.11)

Mitigation Strategies

  • Upgrade OpenClaw to version 2026.3.11 or later to implement the strict fail-closed resolution logic.
  • Explicitly set gateway.auth.mode to enforce local authentication and disable remote credential fallback.
  • Ensure robust availability and monitoring of all environment variables and external secret providers referenced by SecretRef.

Remediation Steps:

  1. Identify all OpenClaw instances running versions prior to v2026.3.11.
  2. Review the gateway configuration files (openclaw.json or config.yaml) for usage of SecretRef in gateway.auth directives.
  3. Update the OpenClaw deployment to v2026.3.11.
  4. Verify that restarting the gateway without the required secrets results in a fatal initialization error.
  5. Audit access logs for historical evidence of unauthorized remote credential usage originating locally.

References

Read the full report for GHSA-QVR7-G57C-MRC7 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)