Description
OpenClaw before 2026.3.31 stores Nostr privateKey as plaintext in configuration, allowing exposure through config.get method calls that bypass redaction mechanisms. Attackers can retrieve unredacted configuration data to obtain plaintext signing keys used for Nostr protocol operations.
Published: 2026-04-28
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: Plaintext exposure of Nostr private keys enabling unauthorized signing
Action: Apply Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.3.31 store Nostr private keys as unencrypted text in the configuration. The configuration retrieval API, config.get, bypasses the normal redaction logic, allowing an attacker to pull the entire configuration without masking. This vulnerability directly compromises the signing identities used for Nostr operations, potentially letting an attacker forge messages and impersonate legitimate users.

Affected Systems

All installations of OpenClaw older than 2026.3.31 are affected. The issue is tied to the OpenClaw product from OpenClaw. No specific hardware or operating system is limited.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high risk. EPSS data is not available, and the vulnerability is not listed in CISA KEV. Attackers require access to the configuration API or a method to invoke config.get. The likely attack vector is through a vulnerable API endpoint or an insider who can read configuration files, but exploitation is technically feasible from any location that can reach the configuration interface. The impact is significant because it would allow the compromise of private keys used for Nostr protocol signing.

Generated by OpenCVE AI on April 28, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.31 or later where private keys are no longer stored in plain text
  • Restrict or disable the config.get method or apply strict access controls so that only authorized users can retrieve configuration values
  • Rotate all Nostr private keys that may have been exposed by the affected configuration before applying the patch

Generated by OpenCVE AI on April 28, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.31 stores Nostr privateKey as plaintext in configuration, allowing exposure through config.get method calls that bypass redaction mechanisms. Attackers can retrieve unredacted configuration data to obtain plaintext signing keys used for Nostr protocol operations.
Title OpenClaw < 2026.3.31 - Nostr Private Key Exposure via config.get Redaction Bypass
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-312
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-29T12:18:51.348Z

Reserved: 2026-04-20T14:12:09.519Z

Link: CVE-2026-41385

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:41.630

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41385

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:15:43Z

Weaknesses