CVE-2026-44994
Authentication Bypass in OpenClaw Control UI
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44994 is an authentication bypass vulnerability in OpenClaw versions before 2026.4.22. It affects the Gateway Control UI bootstrap config endpoint, allowing unauthenticated attackers to access sensitive configuration fields without a valid Gateway token. This endpoint is intended to be accessible only to authenticated Control UI sessions, but due to missing authorization checks, attackers can retrieve sensitive bootstrap and configuration information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to access sensitive configuration fields in the OpenClaw Control UI bootstrap config endpoint. This exposure of sensitive configuration information could potentially lead to unauthorized access to sensitive data or system configurations.
Such unauthorized access to sensitive information may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require protection of sensitive data and proper access controls to prevent unauthorized disclosure.
However, the provided information does not explicitly state the direct impact on compliance with these standards or any regulatory consequences.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive bootstrap and configuration information of the OpenClaw Gateway Control UI to unauthorized users. Attackers exploiting this flaw can read configuration data that should be protected, potentially leading to further security risks such as information disclosure or aiding in subsequent attacks against the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the bootstrap config endpoint without authentication and observing if sensitive configuration data is returned.
Specifically, you can try to send an unauthenticated HTTP GET request to the endpoint `/__openclaw/control-ui-config.json` on the OpenClaw gateway.
- Use curl to test unauthenticated access: curl -i http://<openclaw-host>/__openclaw/control-ui-config.json
- If the response returns configuration data without requiring a valid Gateway token, the system is vulnerable.
- A secure system should respond with a 401 Unauthorized status code for unauthenticated requests.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenClaw to version 2026.4.22 or later, where the vulnerability has been fixed.
This update enforces authentication on the bootstrap config endpoint, ensuring only authenticated users with a valid Gateway token can access sensitive configuration data.
- Apply the patch or upgrade OpenClaw to version 2026.4.22 as provided in the GitHub Security Advisory GHSA-93rg-2xm5-2p9v.
- Verify that unauthenticated requests to `/__openclaw/control-ui-config.json` return a 401 Unauthorized status.
- Review and monitor access logs for any unauthorized attempts to access the bootstrap config endpoint.