Description
OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually recover the authentication token.
Published: 2026-03-05
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure via timing side‑channel
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions before 2026.2.13 validate hook tokens using a non‑constant‑time string comparison. This flaw lets an attacker send repeated requests to the hooks endpoint and measure response times, deducing the token byte by byte. The attacker can therefore recover authentication tokens that grant access to protected hooks, leading to potential unauthorized execution or data exposure. The weakness is a classic timing side‑channel, identified as CWE‑208. No requirements for elevated privileges or local compromise are needed; simple network access to the hooks API is sufficient.

Affected Systems

The vulnerability affects the OpenClaw application distributed as OpenClaw:OpenClaw. All releases prior to 2026.2.13 are impacted. Versions 2026.2.13 and later contain the fixed constant‑time comparison and are not vulnerable.

Risk and Exploitability

The CVSS base score of 6.3 indicates medium severity. The EPSS score is below 1 %, which suggests a low probability of exploitation at the time of this analysis, although the exploit is publicly known. The vulnerability is not present in the CISA KEV list, meaning there is no publicly confirmed exploitation yet. Attackers would need to transmit multiple requests over a reliable network connection, measure response latency with sufficient resolution, and aggregate data over several trials. This is feasible with modest effort, especially against exposed APIs. Consequently the risk is moderate, but the potential impact warrants prompt remediation.

Generated by OpenCVE AI on April 16, 2026 at 11:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the OpenClaw 2026.2.13 release or later which implements a constant‑time comparison for hook tokens
  • Implement rate limiting or request throttling on the hooks endpoint to reduce timing precision and deter exhaustive timing attacks
  • Restrict network access to the hooks API via firewall rules or VPN so that only trusted hosts can reach it

Generated by OpenCVE AI on April 16, 2026 at 11:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-47q7-97xp-m272 OpenClaw: Config writes could persist resolved ${VAR} secrets to disk
History

Mon, 09 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually recover the authentication token.
Title OpenClaw < 2026.2.13 - Timing Attack via Hook Token Comparison
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-208
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-09T18:09:28.182Z

Reserved: 2026-02-27T19:19:53.205Z

Link: CVE-2026-28475

cve-icon Vulnrichment

Updated: 2026-03-09T18:09:23.682Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T22:16:21.617

Modified: 2026-03-11T16:17:15.977

Link: CVE-2026-28475

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:00:11Z

Weaknesses