fix: Control UI Insecure Auth Bypass Allows Token-Only Auth Over HTTP by coygeek · Pull Request #20684 · openclaw/openclaw

coygeek · 2026-02-19T06:41:45Z

Fix Summary

The gateway.controlUi.allowInsecureAuth configuration option allows the Control UI to authenticate using only a token over unencrypted HTTP, bypassing both device identity verification and the device pairing requirement. This enables man-in-the-middle attacks where an attacker can intercept the token and gain full administrative access to the gateway.

Issue Linkage

Fixes #20683

Security Snapshot

CVSS v3.1: 8.3 (High)
CVSS v4.0: 8.7 (High)

Implementation Details

Files Changed

src/gateway/server.auth.e2e.test.ts (+24/-4)
src/gateway/server/ws-connection/message-handler.ts (+6/-2)

Technical Analysis

When gateway.controlUi.allowInsecureAuth: true is set, the allowControlUiBypass flag is set to true inside the WebSocket handshake handler. This flag suppresses two distinct security checks: (1) the HTTPS/localhost enforcement block that normally rejects non-secure Control UI connections, and (2) the device pairing requirement that gates new devices. The result is that any client presenting a valid shared secret (token or password) is granted full operator-level scopes over an unencrypted HTTP connection. No device identity is registered or verified. Tokens in transit are fully plaintext-exposed.

Validation Evidence

Command: pnpm build && pnpm check && pnpm test
Status: passed

Risk and Compatibility

non-breaking; no known regression impact

AI-Assisted Disclosure

AI-assisted: yes
Model: GPT-5.3-Codex

Greptile Summary

This PR fixes a critical security vulnerability where gateway.controlUi.allowInsecureAuth: true allowed Control UI to bypass both HTTPS/localhost enforcement and device pairing requirements, enabling man-in-the-middle attacks over unencrypted HTTP.

Changes Made

Modified allowControlUiBypass calculation to exclude allowInsecureControlUi flag, ensuring allowInsecureAuth no longer bypasses secure-context or device-auth checks
Updated tests to verify Control UI now correctly rejects token-only auth over HTTP and enforces pairing requirements even when allowInsecureAuth is enabled
Added telemetry to track when insecureAuthConfigured is set during failed handshake attempts

Issues Found

The security audit message in src/security/audit.ts:352 still describes the old insecure behavior and needs updating to reflect that allowInsecureAuth no longer bypasses security checks

Confidence Score: 4/5

This PR is safe to merge after updating the security audit message - it fixes a critical vulnerability without introducing new security issues
The fix correctly addresses the security vulnerability by preventing allowInsecureAuth from bypassing security checks. Tests comprehensively verify the new behavior. One minor issue: the security audit message needs updating to reflect the fixed behavior
src/security/audit.ts needs the audit message updated to reflect that allowInsecureAuth no longer bypasses security

_{Last reviewed commit: b228890}

greptile-apps

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

greptile-apps · 2026-02-19T06:44:04Z

src/security/audit.ts

security audit message outdated - allowInsecureAuth no longer skips device identity or pairing after this fix

Suggested change

"gateway.controlUi.allowInsecureAuth is deprecated and no longer bypasses security checks.",

Prompt To Fix With AI

This is a comment left during a code review. Path: src/security/audit.ts Line: 352 Comment: security audit message outdated - allowInsecureAuth no longer skips device identity or pairing after this fix ```suggestion "gateway.controlUi.allowInsecureAuth is deprecated and no longer bypasses security checks.", ``` How can I resolve this? If you propose a fix, please make it concise.

@coygeek

…thanks @coygeek

mbelinky · 2026-02-20T17:34:38Z

Merged via squash.

Prepared head SHA: ad9be4b
Merge commit: 40a2926

Thanks @coygeek!

@mbelinky

…openclaw#20684) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: ad9be4b Co-authored-by: coygeek <[email protected]> Co-authored-by: mbelinky <[email protected]> Reviewed-by: @mbelinky

@mbelinky

…openclaw#20684) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: ad9be4b Co-authored-by: coygeek <[email protected]> Co-authored-by: mbelinky <[email protected]> Reviewed-by: @mbelinky

@mbelinky

…#20684) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: ad9be4b Co-authored-by: coygeek <[email protected]> Co-authored-by: mbelinky <[email protected]> Reviewed-by: @mbelinky

@mbelinky

…openclaw#20684) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: ad9be4b Co-authored-by: coygeek <[email protected]> Co-authored-by: mbelinky <[email protected]> Reviewed-by: @mbelinky

@mbelinky

…openclaw#20684) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: ad9be4b Co-authored-by: coygeek <[email protected]> Co-authored-by: mbelinky <[email protected]> Reviewed-by: @mbelinky

@mbelinky

…openclaw#20684) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: ad9be4b Co-authored-by: coygeek <[email protected]> Co-authored-by: mbelinky <[email protected]> Reviewed-by: @mbelinky

@mbelinky

…openclaw#20684) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: ad9be4b Co-authored-by: coygeek <[email protected]> Co-authored-by: mbelinky <[email protected]> Reviewed-by: @mbelinky

@mbelinky

…openclaw#20684) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: ad9be4b Co-authored-by: coygeek <[email protected]> Co-authored-by: mbelinky <[email protected]> Reviewed-by: @mbelinky (cherry picked from commit 40a2926)

@mbelinky

…openclaw#20684) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: ad9be4b Co-authored-by: coygeek <[email protected]> Co-authored-by: mbelinky <[email protected]> Reviewed-by: @mbelinky (cherry picked from commit 40a2926) # Conflicts: # CHANGELOG.md # src/gateway/server.auth.e2e.test.ts # src/gateway/server/ws-connection/message-handler.ts

@mbelinky

…openclaw#20684) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: ad9be4b Co-authored-by: coygeek <[email protected]> Co-authored-by: mbelinky <[email protected]> Reviewed-by: @mbelinky (cherry picked from commit 40a2926) # Conflicts: # CHANGELOG.md # src/gateway/server.auth.e2e.test.ts # src/gateway/server/ws-connection/message-handler.ts

@mbelinky

…openclaw#20684) Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: ad9be4b Co-authored-by: coygeek <[email protected]> Co-authored-by: mbelinky <[email protected]> Reviewed-by: @mbelinky

openclaw-barnacle bot added gateway Gateway runtime size: XS trusted-contributor labels Feb 19, 2026

greptile-apps bot reviewed Feb 19, 2026

View reviewed changes

Gateway/Security: enforce secure control-ui auth path openclaw#20684 …

ad9be4b

…thanks @coygeek

mbelinky force-pushed the codex/aa-02 branch from b228890 to ad9be4b Compare February 20, 2026 17:34

mbelinky merged commit 40a2926 into openclaw:main Feb 20, 2026
13 checks passed

github-actions bot mentioned this pull request Feb 20, 2026

📡 Upstream Digest — 2026-02-20 18:35 UTC curtismercier/openclaw-mods#78

Open

steipete mentioned this pull request Feb 21, 2026

fix: preserve Web UI scopes when allowInsecureAuth is enabled #17681

Closed

sar618 mentioned this pull request Feb 21, 2026

[Bug]: Web UI Pairing Broken in 2026.2.21 — Security Fix Too Aggressive #22908

Closed

widingmarcus-cyber mentioned this pull request Feb 21, 2026

fix(gateway): restore localhost Control UI pairing when allowInsecureAuth is set #22996

Merged

github-actions bot mentioned this pull request Mar 1, 2026

cherry-pick: upstream bugfix commits (2026-03-01-0443) hughdidit/DAISy-Agency#140

Closed

6 tasks

This was referenced Mar 5, 2026

fix(gateway): allow allowInsecureAuth bypass for loopback-proxy Control UI (#20524) #35837

Closed

fix(gateway): let dangerouslyDisableDeviceAuth fully bypass device identity check #35966

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix: Control UI Insecure Auth Bypass Allows Token-Only Auth Over HTTP#20684

fix: Control UI Insecure Auth Bypass Allows Token-Only Auth Over HTTP#20684
mbelinky merged 1 commit intoopenclaw:mainfrom
coygeek:codex/aa-02

coygeek commented Feb 19, 2026 •

edited

Loading

Uh oh!

greptile-apps bot left a comment

Uh oh!

greptile-apps bot Feb 19, 2026

Uh oh!

Uh oh!

mbelinky commented Feb 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants


	"gateway.controlUi.allowInsecureAuth is deprecated and no longer bypasses security checks.",

Uh oh!

Conversation

coygeek commented Feb 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Fix Summary

Issue Linkage

Security Snapshot

Implementation Details

Files Changed

Technical Analysis

Validation Evidence

Risk and Compatibility

AI-Assisted Disclosure

Greptile Summary

Changes Made

Issues Found

Confidence Score: 4/5

Uh oh!

greptile-apps bot left a comment

Choose a reason for hiding this comment

Uh oh!

greptile-apps bot Feb 19, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

mbelinky commented Feb 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

coygeek commented Feb 19, 2026 •

edited

Loading