Main Vulnerability Database Vulnerabilities #VU125221

#VU125221 Insufficient verification of data authenticity in OpenClaw

Published: April 8, 2026

Vulnerability identifier: #VU125221

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-345

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vulnerable software:
OpenClaw

Software vendor:
OpenClaw

Description

The vulnerability allows a remote attacker to disclose sensitive information and modify configuration data.

The vulnerability exists due to improper trust management in src/commands/onboard-remote.ts when accepting discovered gateway endpoints during remote onboarding. A remote attacker can provide a malicious or spoofed discovery endpoint to disclose sensitive information and modify configuration data.

User interaction is required during the onboarding process, and exploitation depends on discovery on the local network.

Remediation

Install security update from vendor's website.

External links

https://github.com/openclaw/openclaw/security/advisories/GHSA-3cw3-5vxw-g2h3

#VU125221 Insufficient verification of data authenticity in OpenClaw

Description

Remediation

External links

Please verify you're human