Executive Summary

CVE-2026-40045 is a vulnerability in OpenClaw versions prior to 2026.4.2 where the software accepts non-loopback cleartext WebSocket (ws://) gateway endpoints and transmits stored gateway credentials over these unencrypted connections.

An attacker can exploit this by forging discovery results or crafting setup codes to redirect clients to malicious WebSocket endpoints, allowing them to intercept plaintext gateway credentials.

This issue is classified under CWE-319 (Cleartext Transmission of Sensitive Information) and was fixed by enforcing TLS (wss://) for remote gateway endpoints in version 2026.4.2.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the disclosure of sensitive gateway credentials in plaintext to attackers who manage to redirect clients to malicious endpoints.

Such credential exposure can allow attackers to gain unauthorized access to gateway devices or networks, potentially compromising security and privacy.

Because the credentials are transmitted unencrypted, attackers within network range or those who can manipulate discovery processes can intercept these credentials.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the transmission of stored gateway credentials over unencrypted WebSocket (ws://) connections to non-loopback endpoints. To detect this on your network or system, you can monitor network traffic for unencrypted WebSocket connections that carry sensitive credential data.

Suggested commands include using network packet capture tools like tcpdump or Wireshark to filter for WebSocket traffic over port 80 or other non-TLS ports, and inspecting the payload for credential information.

• tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
• Use Wireshark with a filter: websocket and tcp.port == 80

Look specifically for WebSocket connections using the ws:// scheme (unencrypted) rather than wss:// (encrypted). Any discovery or setup traffic redirecting clients to non-loopback ws:// endpoints should be considered suspicious.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade OpenClaw to version 2026.4.2 or later, where this vulnerability has been fixed by enforcing TLS (wss://) for all non-loopback remote gateway endpoints.

Until the upgrade can be applied, avoid using or accepting non-loopback cleartext WebSocket (ws://) gateway endpoints, as these transmit credentials in plaintext and are vulnerable to interception.

Additionally, restrict network access to trusted endpoints and monitor for any suspicious redirection or discovery beacon activity that could redirect clients to malicious endpoints.

For development or local testing, cleartext connections are allowed only on loopback addresses (e.g., localhost, 127.0.0.1, ::1) and emulator bridge hosts (e.g., 10.0.2.2), so ensure that production environments do not rely on these exceptions.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-40045 involves the cleartext transmission of stored gateway credentials over unencrypted WebSocket connections, which can lead to the disclosure of sensitive information to attackers.

Such exposure of sensitive credentials in plaintext can violate data protection principles found in common standards and regulations like GDPR and HIPAA, which require the protection of sensitive data in transit using appropriate security measures such as encryption.

Therefore, this vulnerability could negatively impact compliance by failing to ensure confidentiality and integrity of sensitive authentication data during transmission.

Useful 0 Not Useful 0