GHSA-QVR7-G57C-MRC7: Authentication Fall-Through via Unresolved SecretRef in OpenClaw Gateway

The OpenClaw application utilizes a Local Gateway Helper to route and authenticate requests between local clients and the primary AI backend. This gateway relies on specific configuration directives, notably gateway.auth.token and gateway.auth.password, to verify inbound connections. Administrators often populate these directives using a SecretRef mechanism, which securely injects credentials from external secret stores or environment variables at runtime.

A logic flaw exists in the gateway's credential resolution infrastructure. When a SecretRef is explicitly configured but fails to resolve its target value due to a missing environment variable or unreachable secret provider, the resolution process does not halt execution. Instead, the runtime improperly treats the failed resolution as an entirely unconfigured state.

This behavior masks underlying configuration errors and triggers the gateway's fallback logic. The system proceeds to evaluate secondary credential sources, leading to a fall-through condition. This origin validation error allows the gateway to inadvertently accept remote credentials or insecure defaults, bypassing the explicit local authentication requirements defined by the administrator.

The intended execution flow requires the gateway to enter a strict fail-closed state if an explicitly defined SecretRef cannot be resolved. The application should block subsequent access attempts and generate a fatal configuration error. This ensures that missing secrets immediately alert operators rather than silently degrading the system's security posture.

The vulnerable logic resides in the credential resolver module. During initialization, the resolver catches exceptions related to missing environment variables or network timeouts when querying external secret providers. However, instead of bubbling these exceptions up the call stack, the resolver swallows the errors and returns a null or empty state. The system cannot distinguish between a directive that was never configured and a directive that failed to resolve.

Because the explicitly configured SecretRef appears unconfigured to the downstream authentication pipeline, the logic moves to the next available verification method. This sequence violates the principle of fail-safe defaults (CWE-305 and CWE-754). The gateway subsequently accepts authentication from synchronized remote accounts, directly contradicting the local-mode configuration intended by the operator.

The root cause stems from inadequate state differentiation within the src/gateway module. The vulnerable implementation utilizes a permissive check that conflates resolution errors with absent configuration keys.

// Vulnerable Logic (Conceptual)
function resolveAuthSecret(configKey) {
    const secretRef = getSecretRef(configKey);
    if (!secretRef) return null; // Unconfigured
    
    try {
        return fetchSecret(secretRef);
    } catch (error) {
        // Flaw: Swallows the error and returns null, matching the unconfigured state.
        console.warn("Failed to resolve secret for", configKey);
        return null; 
    }
}

The patched version introduces strict state evaluation. The fix implements a dedicated ResolutionError that explicitly halts the initialization process or the request pipeline. By enforcing a fail-closed policy, the gateway prevents any unintended fall-through to secondary authentication mechanisms.

// Patched Logic (Conceptual - v2026.3.11)
function resolveAuthSecret(configKey) {
    const secretRef = getSecretRef(configKey);
    if (!secretRef) return null; // Unconfigured
    
    try {
        return fetchSecret(secretRef);
    } catch (error) {
        // Fix: Throws a fatal error to prevent fallback logic from executing.
        throw new ResolutionError(`Critical configuration failure: SecretRef for ${configKey} could not be resolved.`);
    }
}

Exploitation of this vulnerability requires the attacker to possess localized access to the host environment or the ability to influence the gateway's execution context. The target system must specifically rely on SecretRef for primary authentication via gateway.auth.token or gateway.auth.password.

The attack sequence begins by intentionally disrupting the SecretRef resolution process. The attacker unsets the required environment variable, such as OPENCLAW_TOKEN, or manipulates network rules to isolate the gateway from its designated secret provider. This action forces the application into the vulnerable fall-through state during the next initialization cycle.

Following the disruption, the attacker initiates a standard connection request to the gateway. Because the missing secret forces a fallback rather than a failure, the gateway processes the request using secondary remote credentials. If the attacker possesses access to a synchronized remote account, they successfully authenticate locally, entirely bypassing the intended restrictive local security policy.

The primary consequence of this vulnerability is an authentication bypass coupled with configuration masking. Administrators configuring strict local-only access via secret references remain unaware that their security controls are inactive. The system silently degrades to accepting remote or default credentials without halting operation.

The CVSS v3.1 vector evaluates to 3.6 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N). The vulnerability necessitates local environment access and specific configuration conditions, resulting in a high attack complexity (AC:H). The impact on confidentiality and integrity remains low (C:L/I:L), as the exploit scope is constrained to the authorization boundaries of the compromised gateway process.

Operationally, this silent failure mode significantly complicates incident response and auditing. Unauthorized access via fallback credentials appears identical to legitimate remote traffic in standard access logs. The absence of explicit fatal errors during initialization delays the detection of the misconfiguration and extends the window of vulnerability.

The definitive remediation requires upgrading OpenClaw to version 2026.3.11 or later. This release enforces a strict fail-closed state for all explicitly configured but unresolved SecretRef directives, structurally eliminating the fall-through behavior.

Environments unable to immediately deploy the patch must implement operational workarounds. Administrators should explicitly define gateway.auth.mode to enforce local-only authentication, which disables remote account synchronization and prevents the fallback logic from executing successfully.

Security teams must implement continuous monitoring of the gateway's initialization logs. Any warnings indicating failed credential resolutions should trigger immediate alerts. Additionally, infrastructure teams must ensure the high availability of external secret providers and rigidly control permissions surrounding environment variable modifications on the host system.