Executive Summary

CVE-2026-44994 is an authentication bypass vulnerability in OpenClaw versions before 2026.4.22. It affects the Gateway Control UI bootstrap config endpoint, allowing unauthenticated attackers to access sensitive configuration fields without a valid Gateway token. This endpoint is intended to be accessible only to authenticated Control UI sessions, but due to missing authorization checks, attackers can retrieve sensitive bootstrap and configuration information.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by exposing sensitive bootstrap and configuration information of the OpenClaw Gateway Control UI to unauthorized users. Attackers exploiting this flaw can read configuration data that should be protected, potentially leading to further security risks such as information disclosure or aiding in subsequent attacks against the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the bootstrap config endpoint without authentication and observing if sensitive configuration data is returned.

Specifically, you can try to send an unauthenticated HTTP GET request to the endpoint `/__openclaw/control-ui-config.json` on the OpenClaw gateway.

• Use curl to test unauthenticated access: curl -i http://<openclaw-host>/__openclaw/control-ui-config.json
• If the response returns configuration data without requiring a valid Gateway token, the system is vulnerable.
• A secure system should respond with a 401 Unauthorized status code for unauthenticated requests.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade OpenClaw to version 2026.4.22 or later, where the vulnerability has been fixed.

This update enforces authentication on the bootstrap config endpoint, ensuring only authenticated users with a valid Gateway token can access sensitive configuration data.

• Apply the patch or upgrade OpenClaw to version 2026.4.22 as provided in the GitHub Security Advisory GHSA-93rg-2xm5-2p9v.
• Verify that unauthenticated requests to `/__openclaw/control-ui-config.json` return a 401 Unauthorized status.
• Review and monitor access logs for any unauthorized attempts to access the bootstrap config endpoint.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to access sensitive configuration fields in the OpenClaw Control UI bootstrap config endpoint. This exposure of sensitive configuration information could potentially lead to unauthorized access to sensitive data or system configurations.

Such unauthorized access to sensitive information may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require protection of sensitive data and proper access controls to prevent unauthorized disclosure.

However, the provided information does not explicitly state the direct impact on compliance with these standards or any regulatory consequences.

Useful 0 Not Useful 0