GHSA-83f3-hh45-vfw9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-83f3-hh45-vfw9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-83f3-hh45-vfw9/GHSA-83f3-hh45-vfw9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-83f3-hh45-vfw9
- Downstream
- Published
- 2026-04-07T18:16:06Z
- Modified
- 2026-04-07T18:35:24.993486Z
- Severity
-
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws://
- Details
-
Summary
Before OpenClaw 2026.4.2, Android accepted non-loopback cleartext
ws://gateway endpoints and would send stored gateway credentials over that connection. Discovery beacons or setup codes could therefore steer the client onto a cleartext remote endpoint.Impact
A user who followed a forged discovery result or scanned a crafted setup code could disclose stored gateway credentials to an attacker-controlled endpoint in plaintext. This was a transport-security bug in the Android gateway client.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.4.1 - Patched versions:
>= 2026.4.2 - Latest published npm version:
2026.4.1
Fix Commit(s)
a941a4fef9bc43b2973c92d0dcff5b8a426210c5— require TLS for remote Android gateway endpoints
Release Process Note
The fix is present on
mainand is staged for OpenClaw2026.4.2. Publish this advisory after the2026.4.2npm release is live.Thanks @zsxsoft for reporting.
- Package:
- Database specific
{ "cwe_ids": [ "CWE-200" ], "github_reviewed_at": "2026-04-07T18:16:06Z", "nvd_published_at": null, "severity": "MODERATE", "github_reviewed": true }- References
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw