GHSA-93rg-2xm5-2p9v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-93rg-2xm5-2p9v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-93rg-2xm5-2p9v/GHSA-93rg-2xm5-2p9v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-93rg-2xm5-2p9v
- Downstream
- Published
- 2026-05-04T21:14:17Z
- Modified
- 2026-05-05T16:13:40.192670Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw's Gateway Control UI bootstrap config required Gateway auth
- Details
-
Summary
Gateway Control UI bootstrap config required Gateway auth.
Affected Packages / Versions
- Package: openclaw (npm)
- Affected versions: <= 2026.4.21
- Fixed version: 2026.4.22
Impact
When Gateway authentication was enabled, the Control UI bootstrap config endpoint could still be read without a valid Gateway token. That response could expose sensitive bootstrap/config fields intended only for authenticated Control UI sessions.
Fix
The bootstrap config route now goes through the same Gateway read-auth path as other authenticated Control UI reads. Regression tests cover unauthenticated rejection, valid-token access, and basePath handling.
Fix Commit(s)
- 2321d67263bc710e357644d59f746b08d891051b
Verification
- The fix commit is contained in the public v2026.4.22 tag.
- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
- Focused regression coverage for this path passed before publication.
OpenClaw thanks @zsxsoft for reporting.
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": null, "cwe_ids": [ "CWE-287" ], "github_reviewed_at": "2026-05-04T21:14:17Z" }- References
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw