Description
OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks.
Published: 2026-04-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows non‑admin authenticated clients to view configuration metadata in Gateway connect snapshots. This information includes host‑specific file system paths and deployment details. Exposure of such data can be used for host fingerprinting and to facilitate further attacks. The weakness corresponds to CWE‑497, which identifies insufficient data protection during protocol execution.

Affected Systems

Affected systems are all OpenClaw deployments running any version earlier than 2026.4.2. The product is delivered as OpenClaw, built on node.js.

Risk and Exploitability

The CVSS base score is 5.3, indicating moderate impact for a non‑admin authenticated attacker. The EPSS probability is less than 1 %, implying a low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote: an authenticated non‑admin client can trigger the Gateway connect process and receive the snapshot payload, from which the metadata is parsed. Because no elevated privileges are required and the CVSS does not factor in privilege escalation, the risk is limited to information exposure unless an attacker can combine this with other weaknesses in the same system.

Generated by OpenCVE AI on April 28, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.2 or newer.
  • Restrict access to Gateway connect snapshot requests so that only administrators can invoke the endpoint.
  • If upgrading cannot be done immediately, block non‑admin access to the snapshot API using firewall or ACL rules.

Generated by OpenCVE AI on April 28, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2f7j-rp58-mr42 OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients
History

Fri, 24 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks.
Title OpenClaw < 2026.4.2 - Information Disclosure via Gateway Connect Snapshot
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-497
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-24T13:34:55.427Z

Reserved: 2026-04-20T14:05:09.183Z

Link: CVE-2026-41339

cve-icon Vulnrichment

Updated: 2026-04-24T13:34:51.683Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:40.140

Modified: 2026-04-29T17:06:24.007

Link: CVE-2026-41339

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:45:16Z

Weaknesses