diff --git a/scripts/docker/setup.sh b/scripts/docker/setup.sh
index cfa6fd4046e..f6436c9ebca 100755
--- a/scripts/docker/setup.sh
+++ b/scripts/docker/setup.sh
@@ -12,6 +12,16 @@ SANDBOX_ENABLED=""
 DOCKER_SOCKET_PATH="${OPENCLAW_DOCKER_SOCKET:-}"
 TIMEZONE="${OPENCLAW_TZ:-}"
 
+# Temp file for the --no-deps + network_mode:bridge Compose override used by
+# config read/write calls that must not start (or join) the gateway service.
+BRIDGE_OVERRIDE_FILE="$(mktemp)"
+trap 'rm -f "$BRIDGE_OVERRIDE_FILE"' EXIT
+cat >"$BRIDGE_OVERRIDE_FILE" <<'YAML'
+services:
+  openclaw-cli:
+    network_mode: bridge
+YAML
+
 fail() {
   echo "ERROR: $*" >&2
   exit 1
@@ -106,9 +116,22 @@ ensure_control_ui_allowed_origins() {
 
   local allowed_origin_json
   local current_allowed_origins
-  allowed_origin_json="$(printf '["http://127.0.0.1:%s"]' "$OPENCLAW_GATEWAY_PORT")"
+  # Mirror buildDefaultControlUiAllowedOrigins: always seed both localhost and 127.0.0.1.
+  allowed_origin_json="$(printf '["http://localhost:%s","http://127.0.0.1:%s"]' "$OPENCLAW_GATEWAY_PORT" "$OPENCLAW_GATEWAY_PORT")"
+  if [[ "${OPENCLAW_GATEWAY_BIND}" == "custom" ]]; then
+    local custom_bind_host
+    custom_bind_host="$(
+      docker compose "${COMPOSE_ARGS[@]}" -f "$BRIDGE_OVERRIDE_FILE" run --rm --no-deps openclaw-cli \
+        config get gateway.customBindHost 2>/dev/null || true
+    )"
+    custom_bind_host="${custom_bind_host//$'\r'/}"
+    if [[ -n "$custom_bind_host" && "$custom_bind_host" != "null" ]]; then
+      allowed_origin_json="$(printf '["http://localhost:%s","http://127.0.0.1:%s","http://%s:%s"]' \
+        "$OPENCLAW_GATEWAY_PORT" "$OPENCLAW_GATEWAY_PORT" "$custom_bind_host" "$OPENCLAW_GATEWAY_PORT")"
+    fi
+  fi
   current_allowed_origins="$(
-    docker compose "${COMPOSE_ARGS[@]}" run --rm openclaw-cli \
+    docker compose "${COMPOSE_ARGS[@]}" -f "$BRIDGE_OVERRIDE_FILE" run --rm --no-deps openclaw-cli \
       config get gateway.controlUi.allowedOrigins 2>/dev/null || true
   )"
   current_allowed_origins="${current_allowed_origins//$'\r'/}"
@@ -118,15 +141,16 @@ ensure_control_ui_allowed_origins() {
     return 0
   fi
 
-  docker compose "${COMPOSE_ARGS[@]}" run --rm openclaw-cli \
+  docker compose "${COMPOSE_ARGS[@]}" -f "$BRIDGE_OVERRIDE_FILE" run --rm --no-deps openclaw-cli \
     config set gateway.controlUi.allowedOrigins "$allowed_origin_json" --strict-json >/dev/null
   echo "Set gateway.controlUi.allowedOrigins to $allowed_origin_json for non-loopback bind."
 }
 
 sync_gateway_mode_and_bind() {
-  docker compose "${COMPOSE_ARGS[@]}" run --rm openclaw-cli \
+  docker compose "${COMPOSE_ARGS[@]}" -f "$BRIDGE_OVERRIDE_FILE" run --rm --no-deps openclaw-cli \
     config set gateway.mode local >/dev/null
-  docker compose "${COMPOSE_ARGS[@]}" run --rm openclaw-cli \
+
+  docker compose "${COMPOSE_ARGS[@]}" -f "$BRIDGE_OVERRIDE_FILE" run --rm --no-deps openclaw-cli \
     config set gateway.bind "$OPENCLAW_GATEWAY_BIND" >/dev/null
   echo "Pinned gateway.mode=local and gateway.bind=$OPENCLAW_GATEWAY_BIND for Docker setup."
 }