Description
OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually determine the authentication token.
Published: 2026-03-05
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Token Disclosure via Timing Attack
Action: Patch Now
AI Analysis

Impact

A timing side‑channel exists in OpenClaw’s hook token validation because string comparison is performed in a non‑constant‑time manner. An attacker can use the time taken to compare string fragments across many requests to deduce the exact value of a hook token. The disclosure of this token effectively compromises the authentication mechanism for the hooks endpoint and can allow further unauthorized use of OpenClaw’s API endpoints that rely on the same token.

Affected Systems

The vulnerability affects the OpenClaw product, specifically all releases older than version 2026.2.12. Users running vulnerabilities should check whether they are on a pre‑2026.2.12 build and plan an upgrade accordingly.

Risk and Exploitability

The CVSS score of 8.2 indicates a high‑severity flaw, yet the EPSS score is below 1% and the flaw is not yet listed in CISA’s KEV catalog, suggesting a low probability of widespread exploitation at the moment. The likely attack path involves a remote attacker with network access to the hooks endpoint, sending multiple crafted requests to measure response times and gradually reconstruct the token. While the attack requires repeated measurements, the information gained can be highly valuable to attackers.

Generated by OpenCVE AI on April 16, 2026 at 12:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.12 or later, which implements constant‑time comparison for hook token validation.
  • If an immediate upgrade is not possible, restrict external traffic to the hooks endpoint using firewalls or access control lists to limit the attack surface.
  • Apply rate limiting to the hooks endpoint to reduce the feasibility of repeated timing measurements that an attacker would rely on.

Generated by OpenCVE AI on April 16, 2026 at 12:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jmm5-fvh5-gf4p OpenClaw has non-constant-time token comparison in hooks authentication
History

Mon, 09 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually determine the authentication token.
Title OpenClaw < 2026.2.12 - Timing Attack in Hooks Token Authentication
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-208
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-09T17:50:10.095Z

Reserved: 2026-02-27T19:18:35.479Z

Link: CVE-2026-28464

cve-icon Vulnrichment

Updated: 2026-03-09T17:50:05.300Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T22:16:19.393

Modified: 2026-03-09T17:14:04.110

Link: CVE-2026-28464

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:15:35Z

Weaknesses