Mitigation Strategies

The primary mitigation is to upgrade OpenClaw to version 2026.2.21 or later, where the vulnerability is fixed by restricting tokenless Tailscale header authentication exclusively to Control UI/WebSocket traffic and requiring explicit token or password authentication for HTTP gateway routes.

If upgrading immediately is not possible, you should disable the `gateway.auth.allowTailscale` setting to prevent tokenless Tailscale authentication from being applied to HTTP gateway routes.

Additionally, ensure that the OpenClaw gateway is configured to be loopback-only or within a trusted network environment, and avoid exposing it to untrusted local processes.

Review and restrict network access to the OpenClaw gateway to trusted hosts only, minimizing the risk of attackers exploiting the authentication bypass.

Monitor and audit access logs for unauthorized access attempts and unusual authentication bypass patterns.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-32045 is a vulnerability in OpenClaw versions prior to 2026.2.21 where tokenless Tailscale header authentication is incorrectly applied to HTTP gateway routes.

This misconfiguration allows attackers on trusted networks to bypass token and password authentication requirements and gain unauthorized access to HTTP gateway routes.

The issue arises because tokenless Tailscale authentication, which was intended only for Control UI websocket authentication, was mistakenly accessible for HTTP gateway authentication calls.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow unauthorized attackers on trusted networks to access HTTP gateway routes without providing required tokens or passwords.

Such unauthorized access weakens the authentication boundaries and can lead to exposure of sensitive HTTP API endpoints.

The impact is significant because it compromises the security of the gateway by allowing authentication bypass, potentially exposing internal services or data.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves verifying whether OpenClaw versions prior to 2026.2.21 are running with tokenless Tailscale header authentication improperly applied to HTTP gateway routes. Specifically, you should check if HTTP gateway routes accept requests without token or password authentication when tokenless Tailscale authentication is enabled.'}, {'type': 'paragraph', 'content': 'One way to detect this is to attempt accessing HTTP gateway routes from a trusted network without providing authentication tokens or passwords and observe if access is granted.'}, {'type': 'paragraph', 'content': 'Additionally, you can inspect the OpenClaw gateway configuration for the setting `gateway.auth.allowTailscale` and verify if it is enabled (true) in versions prior to 2026.2.21.'}, {'type': 'paragraph', 'content': 'For command-line checks, you can use network tools like curl to test HTTP gateway endpoints without authentication headers, for example:'}, {'type': 'list_item', 'content': 'curl -v http://<openclaw-gateway-ip>:<port>/v1/some-endpoint'}, {'type': 'list_item', 'content': 'curl -v --header "x-forwarded-for: <trusted-ip>" --header "tailscale-user-login: <user>" http://<openclaw-gateway-ip>:<port>/v1/some-endpoint'}, {'type': 'paragraph', 'content': 'If these requests succeed without token or password authentication, the system is likely vulnerable.'}, {'type': 'paragraph', 'content': 'You can also use the `tailscale whois <ip>` command to verify the identity resolution of forwarded IP addresses as part of the authentication flow.'}] [1, 3]

Useful 0 Not Useful 0