CVE-2026-32045

Description

### Summary When tokenless Tailscale auth is enabled, OpenClaw should only allow forwarded-header auth for Control UI websocket authentication on trusted hosts. In affected versions, that tokenless path could also be used by HTTP gateway auth call sites, which could bypass token/password requirements for HTTP routes in trusted-network deployments. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected range: `<= 2026.2.19-2` (latest published npm version as of February 21, 2026) - Patched in: planned `2026.2.21` release ### Impact Deployments relying on token/password for HTTP gateway routes could be downgraded to tokenless behavior when Tailscale header auth is enabled. This weakens expected HTTP route authentication boundaries even in trusted-host network setups. Per SECURITY.md, this does not affect the recommended setup: keep the Gateway loopback-only (or otherwise within a trusted host/network boundary), use Tailscale serve/funnel for remote access, and keep tokenless Tailscale auth scoped to Control UI websocket login. ### Fix - Added an explicit auth-surface gate (`allowTailscaleHeaderAuth`, default `false`) in gateway auth. - Enabled tokenless Tailscale header auth only for Control UI websocket authentication. - Kept HTTP gateway auth call sites on token/password auth paths. - Added regression coverage for HTTP-vs-websocket behavior and Tailscale header handling. ### Fix Commit(s) - `356d61aacfa5b0f1d5830716ec59d70682a3e7b8` ### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.21`) so once npm release is published, this advisory can be published directly without further field edits. OpenClaw thanks @zpbrent for reporting.

How to fix CVE-2026-32045

To remediate CVE-2026-32045, upgrade the affected package to a fixed version below.

• —upgrade to 2026.2.21 or later

Is CVE-2026-32045 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)