Description
OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attackers can measure timing differences to leak secret-length information, weakening constant-time handling for shared secrets.
Published: 2026-04-28
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: Timing Side Channel – Secret Length Disclosure
Action: Patch
AI Analysis

Impact

OpenClaw before 2026.4.2 contains a timing side channel in shared-secret comparison call sites that perform early length-mismatch checks instead of fixed-length comparison helpers. The vulnerability allows attackers to measure timing differences and leak the length of shared secrets, thereby weakening constant‑time handling of secrets and potentially aiding further attacks on authentication mechanisms.

Affected Systems

All OpenClaw releases prior to 2026.4.2 are affected, with the OpenClaw application itself as the impacted product.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity vulnerability. The EPSS score is not available, and the defect is not listed in the CISA KEV catalog. The likely attack vector involves an adversary able to measure the timing of authentication requests—either from a network perspective or via local execution. Successful exploitation can expose secret-length information, reducing the effectiveness of security controls that rely on constant‑time comparisons.

Generated by OpenCVE AI on April 28, 2026 at 22:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.2 or newer.
  • If an upgrade is not immediately possible, modify shared‑secret comparison routines to use a constant‑time helper that eliminates early length‑mismatch checks.
  • As a temporary protective measure, implement request rate limiting and monitor for abnormal timing patterns that may indicate side‑channel probing.

Generated by OpenCVE AI on April 28, 2026 at 22:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attackers can measure timing differences to leak secret-length information, weakening constant-time handling for shared secrets.
Title OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-208
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-28T18:10:04.932Z

Reserved: 2026-04-20T14:15:22.223Z

Link: CVE-2026-41407

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:44.433

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41407

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:00:13Z

Weaknesses