Guard Bypass Vulnerability in OpenClaw Web Gateway by OpenClaw
CVE-2026-45001

6MEDIUM

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-45001?

The OpenClaw agent-facing gateway features a vulnerability that allows unauthorized access to critical operator-trusted settings. This includes misconfigurations related to sandbox policies, plugin enablement, gateway authentication/TLS, and more. The vulnerability arises from insufficient protection mechanisms in the config.patch and config.apply endpoints, enabling a malicious actor with access to the owner-only gateway tool to persistently alter sensitive settings without authorization.

Affected Version(s)

OpenClaw 0 < 2026.4.20

OpenClaw 2026.4.20

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://github.com/openclaw/openclaw/commit/fe30b31a97a91...

patch

https://www.vulncheck.com/advisories/openclaw-gateway-con...

third-party-advisory

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 8, 2026

Credit

zsx (@zsxsoft)

KeenSecurityLab

qclawer

CVE-2026-45001 Data

JSON