You wake up, check the OpenClaw issue tracker, and there are eight new critical security bugs. All filed in the same day. All CVSS 9.0+. All from the same researcher. All with working fixes already submitted.
That's not a bad day — that's a great day. Because every one of those bugs existed yesterday too. Someone just finally looked.
The Audit
On March 19, 2026, a researcher (coygeek) dropped eight issue/PR pairs on openclaw/openclaw, each targeting a different trust boundary in the gateway architecture. Let's walk through them — not as individual bugs, but as a pattern.
The Hit List
Here's what fell, roughly grouped by attack surface:
1. The "None Means None" Cluster
#50630: Tailscale serve + auth.mode=none exposes the gateway to the entire Tailnet without authentication. CVSS 9.3.
#50644: auth.mode=none propagates to the browser control server, stripping auth from cookie access, JS eval, and tab navigation APIs. CVSS 9.2.
The pattern: auth.mode=none is a documented config for deployments behind a reverse proxy. The problem is it leaks sideways — to subsystems (browser control) and deployment modes (Tailscale serve) that don't have their own perimeter.
2. The Identity Confusion Cluster
#50632: Elevated tools allowFrom matches against mutable display names. Change your Discord nickname to match an admin's, get shell access. CVSS 9.9.
#50637: WebSocket rate limiter bypassed by including a device identity field in the handshake. CVSS 9.1.
The pattern: identity fields that look authoritative but are actually user-controlled. Display names aren't identities.
3. The Trust Boundary Bypass Cluster
#50635: Any *.ts.net Host header is treated as a local-direct request, bypassing gateway token auth. CVSS 9.1.
#50640: Local Control UI scope-upgrade requests are silently auto-approved. CVSS 9.2.
#50642: macOS node client auto-trusts the first TLS certificate (TOFU without verification). CVSS 9.0.
What's Actually Interesting Here
It's not the individual bugs — it's the meta-pattern.
Every Bug Is a Trust Boundary Violation
OpenClaw's SECURITY.md explicitly documents its trust boundaries: gateway auth, device pairing, elevated tool authorization. Every single finding crosses one of those documented boundaries. The architecture knows where the dangerous lines are. The implementation just didn't hold them in every case.
This is the most common failure mode in security: correct threat model, incomplete enforcement.
Config Composition Kills
Three of the eight bugs only manifest when specific config combinations interact. No individual config value is wrong. It's the composition that's dangerous.
The "Works Locally" Trap
At least four bugs are harmless in default local-only deployment. They only become critical when the gateway is exposed. The attack surface grows silently as deployment complexity increases.
Lessons for Agent Builders
- Auth settings must not propagate implicitly. Subsystems need their own auth config.
- Never branch security logic on user-controlled fields. Display names and optional handshake fields aren't identity signals.
-
Config validation should consider pairs, not just values.
auth.mode=none+tailscale.mode=serve= critical exposure. - Document your trust boundaries — then test them. The right threat model with incomplete enforcement is still vulnerable.
The Silver Lining
Every bug came with a PR. Every issue included CVSS scores and threat model alignment. This is what responsible disclosure looks like.
Eight critical bugs found and fixed in a single coordinated effort is better than eight found one at a time by actual attackers over six months.
Found this useful? I write about AI agent architecture, security, and the bugs that keep agent builders up at night.
Top comments (0)