CVE-2026-32045

EPSS 0.09%

OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes

發布日:2026/3/3修改日:2026/3/24

描述

### Summary When tokenless Tailscale auth is enabled, OpenClaw should only allow forwarded-header auth for Control UI websocket authentication on trusted hosts. In affected versions, that tokenless path could also be used by HTTP gateway auth call sites, which could bypass token/password requirements for HTTP routes in trusted-network deployments. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected range: `<= 2026.2.19-2` (latest published npm version as of February 21, 2026) - Patched in: planned `2026.2.21` release ### Impact Deployments relying on token/password for HTTP gateway routes could be downgraded to tokenless behavior when Tailscale header auth is enabled. This weakens expected HTTP route authentication boundaries even in trusted-host network setups. Per SECURITY.md, this does not affect the recommended setup: keep the Gateway loopback-only (or otherwise within a trusted host/network boundary), use Tailscale serve/funnel for remote access, and keep tokenless Tailscale auth scoped to Control UI websocket login. ### Fix - Added an explicit auth-surface gate (`allowTailscaleHeaderAuth`, default `false`) in gateway auth. - Enabled tokenless Tailscale header auth only for Control UI websocket authentication. - Kept HTTP gateway auth call sites on token/password auth paths. - Added regression coverage for HTTP-vs-websocket behavior and Tailscale header handling. ### Fix Commit(s) - `356d61aacfa5b0f1d5830716ec59d70682a3e7b8` ### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.21`) so once npm release is published, this advisory can be published directly without further field edits. OpenClaw thanks @zpbrent for reporting.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

參考連結(5)