OpenClaw Gateway auth boundaries need a fresh audit
Fresh OpenClaw reports point to several Gateway trust-boundary gaps: managed outgoing image downloads may skip per-session ownership checks for device-token or trusted-proxy callers, trusted-operator plugin HTTP routes may give shared-secret callers admin-like scopes, and trusted-proxy mode may still accept a local password fallback when proxy identity checks fail.
ImpactRisk Sources3 Audienceoperator · developer
These are not cosmetic bugs. They sit on the boundary between one session and another, between narrow caller scopes and admin-like behavior, and between proxy-only auth and a second local auth path. That is exactly where personal-agent operators need conservative defaults.
- Issue #78723 reports device-token callers with chat.history scope can fetch outgoing media from sessions they do not own
- Issue #78731 reports trusted-proxy HTTP auth can bypass requester-session ownership for outgoing media downloads
- Issue #78712 reports shared-secret callers can gain implicit admin scopes on trusted-operator plugin HTTP routes
- Issue #78684 reports trusted-proxy mode still accepts local password fallback under some loopback conditions
- PRs #78732, #78719, and #78694 propose focused fixes, but they are fresh/open and not yet a published release
- Reports are fresh and some fixes are still PR-stage
- Impact depends on Gateway auth mode, device-token usage, plugin route exposure, and whether outgoing media endpoints are reachable
- Operators should avoid sharing media URLs or logs while checking cross-session access behavior