Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use of authentication secrets across security domains. Attackers with access to system prompts sent to third-party model providers can derive the gateway authentication token from the hash outputs, compromising gateway authentication security.
AnalysisAI
OpenClaw versions prior to 2026.2.22 suffer from cryptographic secret reuse where the gateway authentication token is inappropriately reused as a fallback hashing secret for owner-ID obfuscation in system prompts sent to third-party model providers. An unauthenticated attacker with visibility into system prompts (such as through model provider logs, prompt injection, or interception) can reverse-engineer the gateway authentication token from hash outputs when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, directly compromising authentication security. The vulnerability has a low CVSS score of 3.7 due to high attack complexity and limited impact scope, but represents a critical cryptographic design flaw that violates separation-of-concerns principles across security domains.
Technical ContextAI
The vulnerability stems from CWE-320 (Key Management Errors), specifically the dual-use of a sensitive authentication credential outside its intended security domain. OpenClaw (identified via CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) implements owner-ID hashing for prompt obfuscation when displaying outputs to third-party large language model providers. When the configuration parameter commands.ownerDisplaySecret is not explicitly set, the system falls back to reusing gateway.auth.token—a credential designed exclusively for gateway authentication—as the HMAC or hash secret. This cross-domain secret reuse violates cryptographic hygiene: authentication secrets should never be repurposed for unrelated cryptographic operations, particularly those involving untrusted third parties. An attacker who observes the hashed owner-ID values in model provider logs or intercepted prompts can perform cryptanalysis or brute-force attacks against the hash function using the known hash output, potentially recovering the plaintext token.
RemediationAI
Upgrade OpenClaw immediately to version 2026.2.22 or later, which removes the insecure fallback behavior and enforces explicit configuration of commands.ownerDisplaySecret. The patch is available via the vendor repository at https://github.com/openclaw/openclaw/commit/c99e7696e6893083b256f0a6c88fb060f3a76fb7. For environments unable to patch immediately, explicitly set commands.ownerDisplaySecret to a cryptographically random value independent of any authentication credentials; do not rely on default or fallback behavior. Additionally, review all gateway.auth.token usage and revoke any tokens that may have been exposed through third-party model provider logs, and enforce TLS encryption with certificate pinning for all communications with external model providers to reduce interception risk.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-320 – Key Management Errors
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13974
GHSA-8mr2-f9wf-hcfq