Description
OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attackers can measure timing differences to leak secret-length information, weakening constant-time handling for shared secrets.
Published: 2026-04-28
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Timing Side Channel – Secret Length Disclosure
Action: Patch
AI Analysis

Impact

OpenClaw before 2026.4.2 contains a timing side channel in shared-secret comparison call sites that perform early length-mismatch checks instead of fixed-length comparison helpers. The vulnerability allows attackers to measure timing differences and leak the length of shared secrets, thereby weakening constant‑time handling of secrets and potentially aiding further attacks on authentication mechanisms.

Affected Systems

All OpenClaw releases prior to 2026.4.2 are affected, with the OpenClaw application itself as the impacted product.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity vulnerability. The EPSS score is not available, and the defect is not listed in the CISA KEV catalog. The likely attack vector involves an adversary able to measure the timing of authentication requests—either from a network perspective or via local execution. Successful exploitation can expose secret-length information, reducing the effectiveness of security controls that rely on constant‑time comparisons.

Generated by OpenCVE AI on April 28, 2026 at 22:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.2 or newer.
  • If an upgrade is not immediately possible, modify shared‑secret comparison routines to use a constant‑time helper that eliminates early length‑mismatch checks.
  • As a temporary protective measure, implement request rate limiting and monitor for abnormal timing patterns that may indicate side‑channel probing.

Generated by OpenCVE AI on April 28, 2026 at 22:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jj6q-rrrf-h66h OpenClaw: Shared-secret comparison call sites leaked length information through timing
History

Thu, 30 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attackers can measure timing differences to leak secret-length information, weakening constant-time handling for shared secrets.
Title OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-208
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-30T12:53:19.636Z

Reserved: 2026-04-20T14:15:22.223Z

Link: CVE-2026-41407

cve-icon Vulnrichment

Updated: 2026-04-30T12:53:15.305Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T19:37:44.433

Modified: 2026-04-30T19:38:01.910

Link: CVE-2026-41407

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:00:13Z

Weaknesses