CVE-2026-43585

OpenClaw (affected component: gateway authentication) exposes a bearer token validation flaw prior to version 2026.4.15. The issue occurs because the service captures the resolved bearer-auth configuration at startup and does not re-resolve authentication per request after SecretRef rotation, all...

CVE-2026-40045 OpenClaw < 2026.4.2 - Cleartext Credential Transmission via Unencrypted WebSocket Gateway Endpoints

OpenClaw before 2026.4.2 accepts non-loopback cleartext ws:// gateway endpoints and transmits stored gateway credentials over unencrypted connections. Attackers can forge discovery results or craft setup codes to redirect clients to malicious endpoints, disclosing plaintext gateway credentials...

CVE-2026-34952 PraisonAI: Missing Authentication in WebSocket Gateway

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and the...

CVE-2026-34952 PraisonAI: Missing Authentication in WebSocket Gateway

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and the...

CVE-2026-34952

CVE-2026-34952 / GHSA-CFH6-VR3J-QC3G : The PraisonAI Gateway server has missing authentication on its WebSocket interface. The gateway serves agent topology at /info and accepts WebSocket connections at /ws without validating credentials, allowing any network client to enumerate registered agents...

GHSA-CFH6-VR3J-QC3G PraisonAI Has Missing Authentication in WebSocket Gateway

Summary The PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. Details gateway/server.py:242 source -...

PT-2026-29828

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.87 Description The PraisonAI Gateway server lacks authentication for WebSocket connections at the /ws endpoint and exposes agent topology at the /info endpoint without authentication. This allows any network...

CVE-2026-28472

OpenClaw CVE-2026-28472 affects the gateway WebSocket connect handshake. The vulnerability allows bypassing device-identity checks when an auth.token is present but not validated, enabling attackers to connect to the gateway without device identity or pairing and potentially gain operator access ...