Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit d61e1c761f8b · 2026-03-24T18:08:01.000Z
GHSA-hff7-ccv5-52f8 GHSA-qwmf-95r9-gx9x GHSA-qwmf-95r9-gx9x
diff --git a/advisories/github-reviewed/2026/03/GHSA-hff7-ccv5-52f8/GHSA-hff7-ccv5-52f8.json b/advisories/github-reviewed/2026/03/GHSA-hff7-ccv5-52f8/GHSA-hff7-ccv5-52f8.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hff7-ccv5-52f8",
-  "modified": "2026-03-03T18:43:05Z",
+  "modified": "2026-03-24T18:06:03Z",
   "published": "2026-03-03T18:43:04Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32045"
+  ],
   "summary": "OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes",
   "details": "### Summary\nWhen tokenless Tailscale auth is enabled, OpenClaw should only allow forwarded-header auth for Control UI websocket authentication on trusted hosts. In affected versions, that tokenless path could also be used by HTTP gateway auth call sites, which could bypass token/password requirements for HTTP routes in trusted-network deployments.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected range: `<= 2026.2.19-2` (latest published npm version as of February 21, 2026)\n- Patched in: planned `2026.2.21` release\n\n### Impact\nDeployments relying on token/password for HTTP gateway routes could be downgraded to tokenless behavior when Tailscale header auth is enabled. This weakens expected HTTP route authentication boundaries even in trusted-host network setups.\n\nPer SECURITY.md, this does not affect the recommended setup: keep the Gateway loopback-only (or otherwise within a trusted host/network boundary), use Tailscale serve/funnel for remote access, and keep tokenless Tailscale auth scoped to Control UI websocket login.\n\n### Fix\n- Added an explicit auth-surface gate (`allowTailscaleHeaderAuth`, default `false`) in gateway auth.\n- Enabled tokenless Tailscale header auth only for Control UI websocket authentication.\n- Kept HTTP gateway auth call sites on token/password auth paths.\n- Added regression coverage for HTTP-vs-websocket behavior and Tailscale header handling.\n\n### Fix Commit(s)\n- `356d61aacfa5b0f1d5830716ec59d70682a3e7b8`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.21`) so once npm release is published, this advisory can be published directly without further field edits.\n\nOpenClaw thanks @zpbrent for reporting.",
   "severity": [
@@ -38,13 +40,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hff7-ccv5-52f8"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32045"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/356d61aacfa5b0f1d5830716ec59d70682a3e7b8"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-http-gateway-routes-via-tokenless-tailscale-auth"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2026/03/GHSA-qwmf-95r9-gx9x/GHSA-qwmf-95r9-gx9x.json b/advisories/github-reviewed/2026/03/GHSA-qwmf-95r9-gx9x/GHSA-qwmf-95r9-gx9x.json
@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qwmf-95r9-gx9x",
+  "modified": "2026-03-24T18:05:53Z",
+  "published": "2026-03-21T03:31:13Z",
+  "withdrawn": "2026-03-24T18:05:53Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes",
+  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-hff7-ccv5-52f8. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password requirements. Attackers on trusted networks can exploit this misconfiguration to access HTTP gateway routes without proper authentication credentials.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 2026.2.21"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hff7-ccv5-52f8"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32045"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/356d61aacfa5b0f1d5830716ec59d70682a3e7b8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-http-gateway-routes-via-tokenless-tailscale-auth"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-290"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-24T18:05:53Z",
+    "nvd_published_at": "2026-03-21T01:17:07Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/03/GHSA-qwmf-95r9-gx9x/GHSA-qwmf-95r9-gx9x.json b/advisories/unreviewed/2026/03/GHSA-qwmf-95r9-gx9x/GHSA-qwmf-95r9-gx9x.json
