[Bug]: Tailscale serve + auth.mode=none exposes gateway to full Tailnet without authentication

[coygeek]

Severity Assessment

CVSS Assessment

Metric	v3.1	v4.0
Score	9.3 / 10.0	9.3 / 10.0
Severity	Critical	Critical
Vector	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N	CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Calculator	CVSS v3.1 Calculator	CVSS v4.0 Calculator

Threat Model Alignment

Classification: security-specific

The trust boundary crossed is the gateway authentication boundary: SECURITY.md documents gateway.auth as the credential gate that authenticates callers to gateway APIs, and classifies authenticated callers as trusted operators. When gateway.auth.mode=none is combined with gateway.tailscale.mode=serve, the startup validation in server-runtime-config.ts allows the gateway to start without any authentication credential while simultaneously being exposed to all peers on the user's Tailnet via Tailscale's reverse proxy. The funnel mode has an equivalent guard enforcing password, but the serve-mode path has no parallel check, leaving a startup-validation gap that is not covered by any Out of Scope clause — gateway.auth.mode=none is not a dangerous*/dangerously* config key, and the exposure is not to localhost but to all Tailnet peers.

Impact

When gateway.auth.mode is set to "none" and gateway.tailscale.mode is set to "serve", the gateway is reachable over the user's entire Tailnet with zero authentication. Any Tailnet peer connecting through the Tailscale serve URL receives { ok: true, method: "none" } from authorizeGatewayConnect without presenting any credential, gaining full operator-level access to the gateway control plane.

Affected Component

File: src/gateway/server-runtime-config.ts:124-137

assertGatewayAuthConfigured(resolvedAuth, params.cfg.gateway?.auth); // line 124 — no branch for mode:"none"
if (tailscaleMode === "funnel" && authMode !== "password") {          // line 125
  throw new Error(
    "tailscale funnel requires gateway auth mode=password ...",
  );
}
if (tailscaleMode !== "off" && !isLoopbackHost(bindHost)) {          // line 130
  throw new Error("tailscale serve/funnel requires gateway bind=loopback ...");
}
if (!isLoopbackHost(bindHost) && !hasSharedSecret && authMode !== "trusted-proxy") { // line 133
  throw new Error(
    `refusing to bind gateway to ${bindHost}:${params.port} without auth ...`,
  );
}

File: src/gateway/auth.ts:285-320

export function assertGatewayAuthConfigured(
  auth: ResolvedGatewayAuth,
  rawAuthConfig?: GatewayAuthConfig | null,
): void {
  if (auth.mode === "token" && !auth.token) { ... throw ... }
  if (auth.mode === "password" && !auth.password) { ... throw ... }
  if (auth.mode === "trusted-proxy") { ... throw ... }
  // No branch for mode === "none" — passes silently regardless of tailscale config
}

File: src/gateway/auth.ts:402-404

if (auth.mode === "none") {
  return { ok: true, method: "none" };
}

Technical Reproduction

The startup validation chain in resolveGatewayRuntimeConfig has three relevant guards:

1. assertGatewayAuthConfigured (auth.ts:285) — validates token/password/trusted-proxy preconditions but has no branch for mode === "none". Passes silently for any tailscale configuration.
2. The funnel guard (server-runtime-config.ts:125) — blocks authMode !== "password" when tailscaleMode === "funnel". Does not apply to tailscaleMode === "serve".
3. The non-loopback LAN guard (server-runtime-config.ts:133) — blocks mode: "none" on LAN/custom binds by requiring hasSharedSecret || authMode === "trusted-proxy". Does not apply here because Tailscale serve enforces loopback bind (server-runtime-config.ts:130), so isLoopbackHost(bindHost) is true.

The combination tailscaleMode === "serve" + authMode === "none" satisfies all three guards:

• Guard at line 130 passes because serve mode enforces loopback — which then exempts the connection from the non-loopback guard at line 133.
• The funnel-only guard at line 125 does not apply to serve.
• assertGatewayAuthConfigured passes silently for mode: "none".

resolveGatewayRuntimeConfig succeeds, the gateway starts, and authorizeGatewayConnect unconditionally returns { ok: true, method: "none" } (auth.ts:402-404) for every incoming connection. Tailscale's local proxy relays requests from any Tailnet peer to the loopback gateway port, bypassing the auth check entirely.

Additionally, resolveGatewayAuth at auth.ts:271-273 auto-enables allowTailscale when tailscaleMode === "serve" and mode !== "password" && mode !== "trusted-proxy" — this sets allowTailscale: true for mode: "none" + serve, though the mode: "none" early return in authorizeGatewayConnect fires before the Tailscale header auth path is reached.

Deterministic repro config:

gateway:
  auth:
    mode: none
  tailscale:
    mode: serve

Steps:

1. Set gateway.auth.mode = "none" and gateway.tailscale.mode = "serve" in ~/.openclaw/openclaw.json.
2. Start the gateway: openclaw gateway run.
3. From any other device on the same Tailnet, connect to the Tailscale serve URL (e.g., https://<hostname>.ts.net).
4. Observe: connection is accepted with authMethod: "none" — no token, password, or device pairing required.

Demonstrated Impact

All four guards that could block this configuration fail to do so:

• assertGatewayAuthConfigured (auth.ts:285): handles token, password, and trusted-proxy modes only — mode: "none" hits no branch and returns silently, regardless of Tailscale exposure.
• Funnel guard (server-runtime-config.ts:125): requires password for funnel mode — does not cover serve mode, leaving an asymmetric validation gap.
• Non-loopback guard (server-runtime-config.ts:133): guards against unauthenticated non-loopback binds — cannot fire because Tailscale serve is enforced to loopback at line 130, meaning isLoopbackHost(bindHost) is always true when this path is reached.
• authorizeGatewayConnect (auth.ts:402-404): unconditionally returns { ok: true, method: "none" } for mode: "none" with no consideration of whether Tailscale is active.

The result is operator-level access granted to every Tailnet peer without any credential. An attacker sharing the tailnet — or an attacker who has compromised any tailnet device — can call all gateway HTTP API endpoints (/v1/chat/completions, /v1/responses, /tools/invoke, /api/channels/*) and the WebSocket control plane without authentication.

Environment

Verified against release v2026.3.13-1 (commit 23d5d24b323b98d680f2e8004c902c542e3f9642, published 2026-03-14). Affects any OpenClaw instance configured with gateway.auth.mode=none and gateway.tailscale.mode=serve.

Remediation Advice

Add a guard in resolveGatewayRuntimeConfig that explicitly rejects auth.mode = "none" when tailscaleMode !== "off", matching the existing pattern for the funnel guard at line 125. For example: if tailscaleMode === "serve" && authMode === "none", throw an error requiring the operator to configure a real auth mode. Alternatively, extend assertGatewayAuthConfigured to accept tailscaleMode as a parameter and reject mode: "none" whenever any Tailscale exposure is active.

[Ryce]

CVSS 9.3 on Tailscale serve + auth.mode=none is as serious as it gets — a single misconfigured gateway becomes a full Tailnet compromise with no authentication required from the attacker's side.

Why this is a KeepMyClaw problem: Config corruption and misconfiguration aren't always operator error — they're often the result of a bad write, a partial apply, or a config that looked fine in staging and wasn't tested in production. When that bad config grants unauthenticated Tailnet access, the exposure is already happening before anyone notices.

The recovery story here is brutal without a snapshot: you're forensicating an active compromise, not just rolling back a bad config. With a verified config snapshot, you know exactly what the gateway config was before the misconfiguration, you can prove what changed, and you can roll back to the last known-good state rather than trying to reverse-engineer a live breach.

This is the exact failure mode KeepMyClaw is built for — not "if" your config goes wrong, but "when," and being ready to recover instantly rather than scramble.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[coygeek]

Rechecked this against current upstream/main (9023b120a1) and it still appears unresolved.

The startup validation still only requires gateway.auth.mode=password for tailscale.mode=funnel; there is no equivalent rejection for tailscale.mode=serve with gateway.auth.mode=none. resolveGatewayAuth also still enables Tailscale header auth by default for serve unless the mode is password or trusted-proxy, while authorizeGatewayConnect still returns { ok: true, method: "none" } before any credential path when auth mode is none.

There is also still a runtime-config test that accepts this exact shape (gateway.auth.mode=none plus gateway.tailscale.mode=serve) and asserts loopback binding rather than expecting startup rejection.

This should remain open; please remove the stale label.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Latest ClawSweeper review: 2026-05-24 14:15 UTC / May 24, 2026, 10:15 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open. Current main and the latest release still accept explicit gateway.auth.mode="none" with gateway.tailscale.mode="serve", the auth path still grants method: "none" before any credential path, and the linked fixing PR is open and unmerged.

Reproducibility: yes. at source level. Current main accepts gateway.auth.mode="none" with gateway.tailscale.mode="serve", has a test asserting that shape succeeds, and then authorizes mode none before Tailscale identity or shared-secret checks run.

Next step
Manual review is needed because this is security-sensitive Gateway auth-boundary work and an open linked PR already references this issue with closing syntax.

Security
Needs attention: Current main still has a concrete Gateway authentication-boundary gap when explicit no-auth is combined with Tailscale Serve.

Review details

Best possible solution:

Review, rebase, prove, and land or replace #50631 with shared validation that rejects explicit no-auth plus Tailscale Serve while preserving trusted loopback-only no-auth use.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level. Current main accepts gateway.auth.mode="none" with gateway.tailscale.mode="serve", has a test asserting that shape succeeds, and then authorizes mode none before Tailscale identity or shared-secret checks run.

Is this the best way to solve the issue?

Yes. Fail-closed validation for explicit no-auth plus Tailscale Serve is the narrow maintainable direction, with matching tests and upgrade proof so operators do not discover the rejection only at runtime.

Label changes:

• remove clawsweeper:fix-shape-clear: Current issue advisory state no longer selects this label.
• remove clawsweeper:linked-pr-open: Current issue advisory state no longer selects this label.

Label justifications:

• P0: The issue reports a concrete Gateway authentication-boundary bypass that can expose operator-level APIs to Tailnet peers without credentials.
• impact:security: The reported behavior crosses the documented Gateway authentication boundary for remotely reachable HTTP and WebSocket surfaces.
• impact:auth-provider: The root behavior is in Gateway auth mode resolution and credential enforcement for Tailscale Serve.

Security concerns:

• [high] Reject no-auth Tailscale Serve startup — src/gateway/server-runtime-config.ts:131
  Startup validation accepts gateway.auth.mode="none" with gateway.tailscale.mode="serve", which can expose Gateway APIs through Tailscale Serve without a shared secret or verified HTTP identity path.
  Confidence: 0.96
• [high] Avoid mode none before Tailscale identity checks — src/gateway/auth.ts:504
  The auth path returns success for mode: "none" before Tailscale identity-header verification can run, so accepted no-auth runtime configs remain credentialless.
  Confidence: 0.94
• [medium] Add shared preflight validation — src/config/validation.ts:778
  Config validation currently checks only the Tailscale loopback bind constraint, so setup paths can accept the unsafe Serve plus no-auth shape before runtime hardening is applied.
  Confidence: 0.84

What I checked:

• Current runtime validation: resolveGatewayRuntimeConfig validates configured auth, rejects non-password auth only for Funnel, enforces loopback for all Tailscale modes, and rejects no-auth only for non-loopback binds; there is no Serve plus mode-none rejection on current main 483d7be. (src/gateway/server-runtime-config.ts:131, 483d7be6c40a)
• Current auth behavior: authorizeGatewayConnectCore returns { ok: true, method: "none" } before token, password, or Tailscale identity-header auth can run. (src/gateway/auth.ts:504, 483d7be6c40a)
• Serve auth resolution: resolveGatewayAuth defaults allowTailscale to true for Serve unless the mode is password or trusted-proxy, which includes explicit mode none; the auth-none early return still wins before the Tailscale branch. (src/gateway/auth-resolve.ts:93, 483d7be6c40a)
• Current regression test accepts the shape: The runtime-config test configures auth: { mode: "none" } with tailscale: { mode: "serve" } and asserts successful loopback binding instead of startup rejection. (src/gateway/server-runtime-config.test.ts:311, 483d7be6c40a)
• Public docs define a local-only no-auth boundary: The configuration reference says gateway.auth.mode: "none" is explicit no-auth mode for trusted local loopback setups, and the Tailscale docs say HTTP API endpoints follow the normal HTTP auth mode rather than Tailscale identity-header auth. Public docs: docs/gateway/configuration-reference.md. (docs/gateway/configuration-reference.md:534, 483d7be6c40a)
• Security policy recommends strong Gateway auth for remote access: SECURITY.md describes the web interface as local-use oriented and recommends SSH tunnel or Tailscale Serve/Funnel plus strong Gateway auth for remote access. (SECURITY.md:294, 483d7be6c40a)

Likely related people:

• steipete: Auth history links this handle to Tailscale tokenless-auth scoping, explicit WS/HTTP auth-surface separation, and async auth rate-limit hardening near the affected path. (role: recent gateway auth/security contributor; confidence: high; commits: 356d61aacfa5, 36a0df423d19, 032dbf0ec6cd; files: src/gateway/auth.ts, src/gateway/auth-resolve.ts)
• gumadeiras: PR history shows gumadeiras authored the merged explicit gateway.auth.mode="none" bootstrap/security work that changed auth.ts, server-runtime-config.ts, and startup-auth.ts. (role: introduced adjacent explicit no-auth behavior; confidence: medium; commits: c5698caca31d; files: src/gateway/auth.ts, src/gateway/server-runtime-config.ts, src/gateway/startup-auth.ts)
• vincentkoc: Recent merged gateway auth work hardened trusted-proxy local fallback and touched the same runtime/auth files around local and proxy trust boundaries. (role: recent gateway auth/runtime contributor; confidence: medium; commits: 1738d540f440; files: src/gateway/auth.ts, src/gateway/server-runtime-config.ts)
• openperf: The container auto-bind change updated server-runtime-config.ts, server-runtime-config.test.ts, and net.ts, including the current test that accepts Serve plus mode none as a loopback bind case. (role: adjacent Tailscale bind/runtime contributor; confidence: medium; commits: c857e9373523; files: src/gateway/server-runtime-config.ts, src/gateway/server-runtime-config.test.ts, src/gateway/net.ts)

Remaining risk / open question:

• No live Tailnet end-to-end run was performed in this read-only review; the reproduction is source-level plus current test/docs/release evidence.
• A fail-closed fix can intentionally stop existing explicit no-auth Serve deployments, so maintainers should own upgrade messaging and proof before landing.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 483d7be6c40a.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep open. Current main still lacks a startup rejection for Tailscale Serve with gateway.auth.mode="none", the auth path still accepts mode none before Tailscale identity-header auth can run, and open PR #50631 references this issue with closing syntax but remains unmerged.

Required change / next step:

Not queued because this is security-sensitive gateway auth-boundary work and open PR #50631 already references this issue with closing syntax; maintainers should review, land, replace, or close that PR rather than spawn a separate automated repair lane.

Review details

Best possible solution:

Harden Gateway startup so explicit mode none cannot be combined with Tailscale Serve remote exposure unless maintainers intentionally define a separate verified identity-bearing contract, while preserving trusted loopback-only no-auth use and updating runtime-config tests plus public gateway/security docs for the final contract.

What I checked:

• Current runtime validation lacks serve+none rejection: resolveGatewayRuntimeConfig validates auth, rejects non-password auth only for tailscaleMode === "funnel", enforces loopback for Tailscale modes, and rejects no-auth only for non-loopback binds; it has no equivalent rejection for tailscaleMode === "serve" with authMode === "none". (src/gateway/server-runtime-config.ts:135, e46dccb35374)
• Mode none still accepts without credentials: authorizeGatewayConnectCore returns { ok: true, method: "none" } before the Tailscale identity-header branch, so token, password, and verified Tailscale identity checks are bypassed for mode none. (src/gateway/auth.ts:492, e46dccb35374)
• Serve defaults allowTailscale for none mode: resolveGatewayAuth defaults allowTailscale to true for Serve unless the mode is password or trusted-proxy, which includes explicit mode none; the auth-none early return still wins before Tailscale header auth can run. (src/gateway/auth-resolve.ts:93, e46dccb35374)
• Current test accepts the reported config shape: The runtime-config test configures auth: { mode: "none" } with tailscale: { mode: "serve" } and asserts successful loopback binding instead of startup rejection. (src/gateway/server-runtime-config.test.ts:311, e46dccb35374)
• Docs support a local-only no-auth boundary: The config reference says gateway.auth.mode: "none" should be used only for trusted local loopback setups, and the same section says HTTP endpoints do not use Tailscale header auth and follow the normal HTTP auth mode. Public docs: docs/gateway/configuration-reference.md. (docs/gateway/configuration-reference.md:418, e46dccb35374)
• Paired fix PR is open and unmerged: GitHub API data shows PR fix: Tailscale serve + auth.mode=none exposes gateway to full... #50631 is open, unmerged, non-draft, contains Fixes this issue, and changes only src/gateway/server-runtime-config.ts plus src/gateway/server-runtime-config.test.ts. (6bd6ea52f8dc)

Likely related people:

• steipete: Current local blame on the affected runtime/auth files points to Peter Steinberger's current-main checkout history, and the prior ClawSweeper/GitHub path-history evidence links steipete to repeated gateway auth and security-boundary hardening around trusted-proxy, pairing locality, shared auth helpers, Control UI origins, and bind fallback behavior. (role: gateway auth/security maintainer; confidence: high; commits: 34d11d57579d, 1a98938479b3, dc2c3a4920a2; files: src/gateway/auth.ts, src/gateway/server-runtime-config.ts, src/gateway/server-runtime-config.test.ts)
• vincentkoc: Prior ClawSweeper/GitHub path-history evidence for this item links vincentkoc to recent maintenance on the same runtime/auth files, including legacy env auth warnings, startup config import cleanup, and trusted-proxy hardening near this validation surface. (role: recent gateway auth/runtime maintainer; confidence: medium; commits: aa1834a3ff56, 1497425b8dbb, 1738d540f440; files: src/gateway/server-runtime-config.ts, src/gateway/auth.ts, src/gateway/auth-resolve.ts)

Remaining risk / open question:

• No live Tailnet end-to-end reproduction was run in this read-only sweep; the keep-open decision is based on current source, docs, tests, issue discussion, and related PR state.
• Open PR fix(gateway): default gateway.auth.mode to 'none' for local deployments #65333 proposes defaulting local gateway auth mode to none; that work could conflict with this boundary if it lands before or without the Tailscale Serve hardening.
• This is security-sensitive Gateway authentication-boundary work and needs maintainer/security review rather than automated cleanup.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e46dccb35374.